Directus S3 Storage Driver Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Directus S3 storage driver, specifically in versions 9.22.0 prior to 12.0.1. When multiple HEAD requests are sent simultaneously to check the existence of files, the driver eventually responds with a 403 status for all assets. This issue affects all Directus policies, including Admin and Public. The vulnerability arises because the storage driver does not properly manage concurrent connections, leading to asset unavailability after a burst of HEAD requests.

Impact

Exploitation of this vulnerability causes a denial-of-service condition for all assets managed by Directus, disrupting access for all user policies, including Admin and Public.

Reproduction

The vulnerability can be reproduced by setting up AWS S3 storage and configuring the Directus S3 storage driver to limit the maximum number of sockets to 50, a value lower than the default. After uploading a file, a script can be run to send 400 simultaneous HEAD requests for the uploaded file. This burst of requests will eventually cause the server to respond with a 403 status, indicating that the asset is unavailable.

Remediation

Users can upgrade to Directus version 12.0.1 or later, which addresses this vulnerability.