CVE-2024-39895
published 2024-07-08CVE-2024-39895: Directus is a real-time API and App dashboard for managing SQL database content. A denial of service (DoS) attack by field duplication in GraphQL is a type of…
PriorityP335medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.80%
51.8th percentile
Directus is a real-time API and App dashboard for managing SQL database content. A denial of service (DoS) attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple times in a single query. This can cause the server to perform redundant computations and consume excessive resources, leading to a denial of service for legitimate users. Request to the endpoint /graphql are sent when visualizing graphs generated at a dashboard. By modifying the data sent and duplicating many times the fields a DoS attack is possible. This vulnerability is fixed in 10.12.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| directus | directus | < 10.12.0 | 10.12.0 |
| directus | env | >= 0 < 1.1.6 | 1.1.6 |
| monospace | directus | < 10.12.0 | 10.12.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Directus GraphQL Field Duplication Denial of Service (DoS)
ghsa·2024-07-08
CVE-2024-39895 [HIGH] CWE-400 Directus GraphQL Field Duplication Denial of Service (DoS)
Directus GraphQL Field Duplication Denial of Service (DoS)
### Summary
A denial of service (DoS) attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple times in a single query. This can cause the server to perform redundant computations and consume excessive resources, leading to a denial of service for legitimate users.
### Details
Request to the endpoint /graphql are sent when visualizing graphs generated at a dashboard:
By modifying the data sent and duplicating many times the fields a DoS attack is possible.
### PoC
The goal is to create a payload that generates a body like this, where the 'max' field is duplicated many times, each with the 'id' field duplicated ma
OSV
Directus GraphQL Field Duplication Denial of Service (DoS)
osv·2024-07-08
CVE-2024-39895 [HIGH] Directus GraphQL Field Duplication Denial of Service (DoS)
Directus GraphQL Field Duplication Denial of Service (DoS)
### Summary
A denial of service (DoS) attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple times in a single query. This can cause the server to perform redundant computations and consume excessive resources, leading to a denial of service for legitimate users.
### Details
Request to the endpoint /graphql are sent when visualizing graphs generated at a dashboard:
By modifying the data sent and duplicating many times the fields a DoS attack is possible.
### PoC
The goal is to create a payload that generates a body like this, where the 'max' field is duplicated many times, each with the 'id' field duplicated ma
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/directus/directus/commit/543b345695071c1de61a35004bd063fe59dba0c8https://github.com/directus/directus/security/advisories/GHSA-7hmh-pfrp-vcx4https://github.com/directus/directus/commit/543b345695071c1de61a35004bd063fe59dba0c8https://github.com/directus/directus/security/advisories/GHSA-7hmh-pfrp-vcx4
2024-07-08
Published