Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Network-reachable SSRF needing only low-privilege upload rights (PR:L) and no interaction; scope changes to internal systems (S:C) with high confidentiality but no integrity/availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 12.0.0, the SSRF protection on Directus's file-import-from-URL feature can be bypassed using the address 0.0.0.0 because api/src/request/is-denied-ip.ts treats 0.0.0.0 as a keyword for local interfaces but never blocks the literal address itself. On Linux and macOS, connecting to 0.0.0.0 reaches localhost, so an authenticated user with file-upload rights can make the server fetch internal services through the /files/import endpoint and retrieve the response as a downloadable file. This issue is fixed in version 12.0.0.
AnalysisAI
Server-side request forgery in Directus before 12.0.0 lets an authenticated user with file-upload rights abuse the /files/import endpoint to make the server fetch internal-only services and return their responses as downloadable files. The flaw stems from an incomplete SSRF denylist in api/src/request/is-denied-ip.ts, which treated 0.0.0.0 as a keyword but never blocked the literal address, so on Linux and macOS a request to 0.0.0.0 resolves to localhost and bypasses the protection. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated Directus account (prior to 12.0.0) that has file-upload/import permissions, and the server must run on Linux or macOS where a connection to the literal address 0.0.0.0 is routed to localhost. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, base 7.7 High) is internally consistent with the description: network-reachable, low-complexity, requires low-privilege authentication (a user with file-upload rights), no user interaction, changed scope (the vulnerable app is pivoted to reach other systems), high confidentiality impact, and no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Directus user who holds file-upload rights calls the /files/import endpoint with a URL such as http://0.0.0.0:<port>/ pointing at an internal service (for example a cloud metadata endpoint, admin API, or database dashboard bound to localhost). Because the denylist fails to block the literal 0.0.0.0, the server fetches the internal resource and stores the response as a downloadable file the attacker can then retrieve, exfiltrating internal data. … |
| Remediation | Vendor-released patch: upgrade Directus to version 12.0.0 or later, which updates the IP denylist to parse the 0.0.0.0/8 subnet and block the IPv6 unspecified address :: (per PR #27606 and commit f75b25f); see the advisory at https://github.com/directus/directus/security/advisories/GHSA-j5h6-vqc3-phqh and release https://github.com/directus/directus/releases/tag/v12.0.0. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: audit and revoke file-upload permissions for all non-administrative users in Directus installations; document remaining privileged accounts and their business justification. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Directus 6.4.9 has a hardcoded admin password for the Admin account because of an INSERT statement in api/schema.sql. Ra
Directus 8 before 8.8.2 allows remote authenticated users to execute arbitrary code because file-upload permissions incl
In Directus 8.x through 8.8.1, an attacker can switch to the administrator role (via the PATCH method) without any contr
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 8.6), this vu
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 8.2), this vu
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 7.7), this vu
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 7.5), this vu
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 7.5), this vu
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 7.5), this vu
In Directus 8.x through 8.8.1, an attacker can see all users in the CMS using the API /users/{id}. Rated high severity (
Directus is a real-time API and App dashboard for managing SQL database content. Rated medium severity (CVSS 6.5), this
Directus is a real-time API and App dashboard for managing SQL database content. Rated medium severity (CVSS 6.5), this
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44672