@directus/api
npm10 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting @directus/apipage 1 of 1
- CVE-2024-39699MEDIUMCVSS 5.0EG 5.0✓ Fixed in 17.1.02024-07-08
Directus is a real-time API and App dashboard for managing SQL database content. There was already a reported SSRF vulnerability via file import. It was fixed by resolving all DNS names and checking if the requested IP is an internal IP ad…
- CVE-2024-45596HIGHCVSS 7.4EG 7.4✓ Fixed in 22.2.02024-09-10
Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query str…
- CVE-2024-46990MEDIUMCVSS 5.0EG 5.0✓ Fixed in 22.1.12024-09-18
Directus is a real-time API and App dashboard for managing SQL database content. When relying on blocking access to localhost using the default `0.0.0.0` filter a user may bypass this block by using other registered loopback devices (like …
- CVE-2024-47822MEDIUMCVSS 4.2EG 4.2✓ Fixed in 21.0.02024-10-08
Directus is a real-time API and App dashboard for managing SQL database content. Access tokens from query strings are not redacted and are potentially exposed in system logs which may be persisted. The access token in `req.query` is not re…
- CVE-2024-54151HIGHCVSS 7.5EG 7.5✓ Fixed in 23.2.02024-12-09
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0, when setting `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` to "public", an unauthenticated user …
- CVE-2025-30351LOWCVSS 3.5EG 3.5✓ Fixed in 24.0.12025-03-26
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.10.0 and prior to version 11.5.0, a suspended user can use the token generated in session auth mode to access the API despite their sta…
- CVE-2025-55746CRITICALCVSS 9.3EG 9.3✓ Fixed in 28.0.22025-08-20
Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrar…
- CVE-2025-64748MEDIUMCVSS 6.5EG 6.5✓ Fixed in 32.0.02025-11-13
Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual val…
- CVE-2025-64749MEDIUMCVSS 4.3EG 4.3✓ Fixed in 32.0.02025-11-13
Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API…
- CVE-2026-26185MEDIUMCVSS 5.3EG 5.3✓ Fixed in 32.2.02026-02-12
Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the…
Check whether @directus/api is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for @directus/api CVEs against the assets you own.
Start Free Scan →