Operation on a Resource after Expiration or Release in @directus/api | CVE-2025-30351

Q: How to fix?

Upgrade @directus/api to version 25.0.0 or higher.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-JS-DIRECTUSAPI-9535117
published27 Mar 2025
disclosed26 Mar 2025
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 26 Mar 2025

NewCVE-2025-30351 (opens in a new tab) CWE-672 (opens in a new tab)

How to fix?

Upgrade @directus/api to version 25.0.0 or higher.

Overview

@directus/api is a real-time API and App dashboard for managing SQL database content

Affected versions of this package are vulnerable to Operation on a Resource after Expiration or Release due to a missing check in verifySessionJWT. An attacker can continue to access the API using a session token even after the user has been suspended by using the token obtained prior to suspension.

Note:

This is only exploitable if the /auth/refresh call is not triggered, as that would invalidate the session token.

PoC

Create an active user
Log in with that user and note the session cookie
Suspend the user (and don't trigger an /auth/refresh call, as that invalidates the session
Access the API with Authorization: Bearer <token>

References

GitHub Commit

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
Low
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Operation on a Resource after Expiration or Release Affecting @directus/api package, versions >=18.0.0 <25.0.0

Severity