CVE-2025-30351 — Operation on a Resource after Expiration or Release in Directus

CWE-672 — Operation on a Resource after Expiration or Release3 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 54.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Monospace Directus Directus API Directus +1 more

Timeline

PublishedMar 26

Description

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.10.0 and prior to version 11.5.0, a suspended user can use the token generated in session auth mode to access the API despite their status. This happens because there is a check missing in `verifySessionJWT` to verify that a user is actually still active and allowed to access the API. One can extract the session token obtained by, e.g. login in to the app while still active and then, after the…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages5 packages

▶npmdirectus/api18.0.0 — 24.0.1

▶npmdirectus/types11.0.7 — 13.0.0

▶npmdirectus/directus10.10.0 — 11.5.0

▶NVDmonospace/directus10.10.0 — 11.5.0

▶CVEListV5directus/directus>= 10.10.0, < 11.5.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

Suspended Directus user can continue to use session token to access API↗2025-03-26

▶

GHSA

Suspended Directus user can continue to use session token to access API↗2025-03-26

▶