GHSA-56P6-QW3C-FQ2G

Vulnerability from github – Published: 2025-03-26 18:30 – Updated: 2025-06-09 18:12
VLAI?
Summary
Suspended Directus user can continue to use session token to access API
Details

Summary

Since the user status is not checked when verifying a session token a suspended user can use the token generated in session auth mode to access the API despite their status.

Details

There is a check missing in verifySessionJWT to verify that a user is actually still active and allowed to access the API. Right now one can extract the session token obtained by, e.g. login in to the app while still active and then, after the user has been suspended continue to use that token until it expires.

PoC

  • Create an active user
  • Log in with that user and note the session cookie
  • Suspend the user (and don't trigger an /auth/refresh call, as that invalidates the session
  • Access the API with Authorization: Bearer <token>

Impact

This weakens the security of suspending users.

Severity ?
3.5 (Low)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "directus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.10.0"
            },
            {
              "fixed": "11.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@directus/api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "18.0.0"
            },
            {
              "fixed": "24.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@directus/types"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.7"
            },
            {
              "fixed": "13.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-30351"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-672"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-26T18:30:43Z",
    "nvd_published_at": "2025-03-26T18:15:26Z",
    "severity": "LOW"
  },
  "details": "### Summary\nSince the user status is not checked when verifying a session token a suspended user can use the token generated in session auth mode to access the API despite their status.\n\n### Details\nThere is a check missing in `verifySessionJWT` to verify that a user is actually still active and allowed to access the API. Right now one can extract the session token obtained by, e.g. login in to the app while still active and then, after the user has been suspended continue to use that token until it expires.\n\n### PoC\n* Create an active user\n* Log in with that user and note the session cookie\n* Suspend the user (and don\u0027t trigger an `/auth/refresh` call, as that invalidates the session\n* Access the API with `Authorization: Bearer \u003ctoken\u003e`\n\n### Impact\nThis weakens the security of suspending users.",
  "id": "GHSA-56p6-qw3c-fq2g",
  "modified": "2025-06-09T18:12:09Z",
  "published": "2025-03-26T18:30:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/security/advisories/GHSA-56p6-qw3c-fq2g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30351"
    },
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/commit/ef179931c55b50c110feca8404901d5633940771"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/directus/directus"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Suspended Directus user can continue to use session token to access API"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.