GHSA-7WQ3-JR35-275C

Vulnerability from github – Published: 2025-03-26 18:44 – Updated: 2025-03-26 18:44
VLAI?
Summary
Directus `search` query parameter allows enumeration of non permitted fields
Details

Summary

The search query parameter allows users with access to a collection to filter items based on fields they do not have permission to view. This allows the enumeration of unknown field contents.

Details

The searchable columns (numbers & strings) are not checked against permissions when injecting the where clauses for applying the search query. This leads to the possibility of enumerating those un-permitted fields.

PoC

  • Create a collection with a string / numeric field, configure the permissions for the public role to not include the field created
  • Create items with identifiable content in the not permitted field
  • Query the collection and include the field content in the search parameter
  • See that results are returned, even tho the public user does not have permission to view the field content

Impact

This vulnerability is a very high impact, as for example Directus instances which allow public read access to the user avatar are vulnerable to have the email addresses, password hashes and potentially admin level access tokens extracted. The admin token and password hash extraction have a caveat, as string fields are only searched with a lower cased version of the search query.

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "directus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0-alpha.4"
            },
            {
              "fixed": "11.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-30352"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-26T18:44:23Z",
    "nvd_published_at": "2025-03-26T18:15:27Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe `search` query parameter allows users with access to a collection to filter items based on fields they do not have permission to view. This allows the enumeration of unknown field contents.\n\n### Details\n\nThe searchable columns (numbers \u0026 strings) are not checked against permissions when injecting the `where` clauses for applying the search query. This leads to the possibility of enumerating those un-permitted fields.\n\n### PoC\n\n- Create a collection with a string / numeric field, configure the permissions for the public role to not include the field created\n- Create items with identifiable content in the not permitted field\n- Query the collection and include the field content in the `search` parameter\n- See that results are returned, even tho the public user does not have permission to view the field content\n\n### Impact\n\nThis vulnerability is a very high impact, as for example Directus instances which allow public read access to the user avatar are vulnerable to have the email addresses, password hashes and potentially admin level access tokens extracted. The admin token and password hash extraction have a caveat, as string fields are only searched with a lower cased version of the search query.",
  "id": "GHSA-7wq3-jr35-275c",
  "modified": "2025-03-26T18:44:23Z",
  "published": "2025-03-26T18:44:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/security/advisories/GHSA-7wq3-jr35-275c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30352"
    },
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/commit/ac5a9964d9926f20dc063a74cb417dc7bbad676d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/directus/directus"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Directus `search` query parameter allows enumeration of non permitted fields"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.