CVE-2025-30351

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-30351
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.10.0 and prior to version 11.5.0, a suspended user can use the token generated in session auth mode to access the API despite their status. This happens because there is a check missing in `verifySessionJWT` to verify that a user is actually still active and allowed to access the API. One can extract the session token obtained by, e.g. login in to the app while still active and then, after the user has been suspended continue to use that token until it expires. Version 11.5.0 patches the issue.

3.5 /10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/directus/directus/commit/ef179931c55b50c110feca8404901d5633940771 Patch
https://github.com/directus/directus/security/advisories/GHSA-56p6-qw3c-fq2g Exploit Vendor Advisory
https://github.com/directus/directus/security/advisories/GHSA-56p6-qw3c-fq2g Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*
History

26 Aug 2025, 01:36

Type Values Removed Values Added
First Time Monospace directus
Monospace
CPE cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*
References () https://github.com/directus/directus/commit/ef179931c55b50c110feca8404901d5633940771 - () https://github.com/directus/directus/commit/ef179931c55b50c110feca8404901d5633940771 - Patch
References () https://github.com/directus/directus/security/advisories/GHSA-56p6-qw3c-fq2g - () https://github.com/directus/directus/security/advisories/GHSA-56p6-qw3c-fq2g - Exploit, Vendor Advisory

27 Mar 2025, 16:45

Type Values Removed Values Added
Summary
  • (es) Directus es un panel de control de API y aplicaciones en tiempo real para gestionar el contenido de bases de datos SQL. A partir de la versión 10.10.0 y anteriores a la 11.5.0, un usuario suspendido puede usar el token generado en el modo de autenticación de sesión para acceder a la API, independientemente de su estado. Esto se debe a que falta una comprobación en `verifySessionJWT` para verificar que un usuario siga activo y tenga permiso para acceder a la API. Se puede extraer el token de sesión obtenido, por ejemplo, iniciando sesión en la aplicación mientras el usuario sigue activo y, una vez suspendido, seguir usándolo hasta que caduque. La versión 11.5.0 soluciona el problema.

26 Mar 2025, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-03-26 18:15

Updated : 2025-08-26 01:36

NVD link : CVE-2025-30351

Mitre link : CVE-2025-30351

CVE.ORG link : CVE-2025-30351

JSON object : View

Products Affected

monospace

  • directus
CWE
CWE-672

Operation on a Resource after Expiration or Release