Directus S3 Storage Driver Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Directus S3 storage driver, specifically in versions 9.22.0 prior to 12.0.1. When multiple malformed transformation requests are sent simultaneously, the driver fails to process these requests correctly, leading to all assets being served with a 403 status. This issue affects all user policies in Directus, including Admin and Public.

Impact

Exploitation of this vulnerability causes a denial-of-service condition for all assets managed by Directus, disrupting access for all user policies.

Reproduction

The vulnerability can be reproduced by setting up AWS S3 storage and configuring the 'STORAGE_CLOUD_MAX_SOCKETS' environment variable to a value lower than the default. After uploading a file to the Directus project, a script can be run to send 400 simultaneous requests for the uploaded file, using invalid transformation parameters. This overloads the server's ability to handle connections, causing the asset to become unavailable.

Remediation

Users can upgrade to Directus version 12.0.1 or later, or Directus version 11.5.0, where this vulnerability has been patched.