Directus Session Token Vulnerability Allows Suspended Users to Access API

A vulnerability in Directus versions 10.10.0 through prior to 11.5.0 allows suspended users to continue accessing the API using session tokens generated while they were active. This issue arises from a missing verification check in the 'verifySessionJWT' function, which fails to confirm whether a user is still active and authorized to use the API. As a result, a suspended user can exploit this by logging in before suspension, obtaining a session token, and then using that token to access the API until it expires.

Impact

This vulnerability undermines the effectiveness of user suspension by allowing suspended users to retain API access until their session tokens expire.

Reproduction

To reproduce this vulnerability, first create an active user account and log in to the Directus application. Once logged in, note the session token. After obtaining the token, suspend the user account without triggering an '/auth/refresh' call, as this would invalidate the session token. With the user suspended, the session token can still be used to access the API, demonstrating the vulnerability.

Remediation

Users can upgrade to Directus version 11.5.0 or later, where this vulnerability has been patched.