Directus Sensitive Data Exposure Vulnerability in Webhook Flows
Vulnerability
A vulnerability in Directus versions 9.12.0 prior to 11.5.0 allows for the unintentional exposure of sensitive data through the API. This issue arises when a Flow with the 'Webhook' trigger and 'Data of Last Operation' response body encounters a ValidationError due to a failed condition operation. The API response in such cases includes environmental variables, sensitive API keys, user accountability information, and operational data, creating a significant security risk.
Impact
Exploitation of this vulnerability leads to the unauthorized exposure of sensitive information, including environmental variables, API keys, user accountability details, and operational data.
Reproduction
To reproduce this vulnerability, create a Flow in Directus with the 'Webhook' trigger and 'Data of Last Operation' response body. Add a condition that is likely to fail, then trigger the Flow with input data that will cause the condition to fail. The API response will include sensitive information such as environmental variables, authorization headers, user details under accountability, and previous operational data.
Remediation
Users can upgrade to Directus version 11.5.0 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.