Information Exposure Affecting @directus/api package, versions <25.0.0

Q: How to fix?

Upgrade @directus/api to version 25.0.0 or higher.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-JS-DIRECTUSAPI-9534854
published27 Mar 2025
disclosed26 Mar 2025
creditmoritzgvt, Hannes Küttner

Report a new vulnerability Found a mistake?

Introduced: 26 Mar 2025

NewCVE-2025-30352 (opens in a new tab) CWE-200 (opens in a new tab)

How to fix?

Upgrade @directus/api to version 25.0.0 or higher.

Overview

@directus/api is a real-time API and App dashboard for managing SQL database content

Affected versions of this package are vulnerable to Information Exposure via the search query parameter. An attacker can enumerate unknown field contents by injecting unpermitted fields into the search query, leading to unauthorized access to sensitive data.

PoC

Create a collection with a string / numeric field, configure the permissions for the public role to not include the field created
Create items with identifiable content in the not permitted field
Query the collection and include the field content in the search parameter
See that results are returned, even tho the public user does not have permission to view the field content

References

GitHub Commit

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None