CVE-2024-54151

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-54151

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-54151.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-54151

Aliases

GHSA-849r-qrwj-8rv4

Published

2024-12-09T20:57:28.365Z

Modified

2025-12-05T07:34:24.549692Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Directus allows unauthenticated access to WebSocket events and operations

Details

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0, when setting WEBSOCKETS_GRAPHQL_AUTH or WEBSOCKETS_REST_AUTH to "public", an unauthenticated user is able to do any of the supported operations (CRUD, subscriptions) with full admin privileges. This impacts any Directus instance that has either WEBSOCKETS_GRAPHQL_AUTH or WEBSOCKETS_REST_AUTH set to public allowing unauthenticated users to subscribe for changes on any collection or do REST CRUD operations on user defined collections ignoring permissions. Version 11.3.0 fixes the issue.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/54xxx/CVE-2024-54151.json",
    "cwe_ids": [
        "CWE-200"
    ]
}

References

Affected packages

Git / github.com/directus/directus

Affected ranges

Type: GIT
Repo: https://github.com/directus/directus
Events: Introduced

2b02764ac8a4aac3df7764ca935ad7f9e48581b7

Fixed

6948e1f9563cbfb6286fab3364ac245c8373797f

Affected versions

v11.*

v11.0.0

v11.0.1

v11.0.2

v11.1.0

v11.1.1

v11.1.2

v11.2.0

v11.2.1

v11.2.2