Directus GraphQL Denial-of-Service Vulnerability via Resolver Duplication
Vulnerability
A denial-of-service vulnerability has been identified in Directus versions prior to 11.17.0. The issue arises in the GraphQL endpoints '/graphql' and '/graphql/system', where resolver invocations within a single request are not deduplicated. This allows an authenticated user to exploit GraphQL aliasing, repeating costly relational queries multiple times in one request. As a result, the server must handle a large number of independent, complex database queries simultaneously, increasing database load in proportion to the number of aliases used. Although there is a token limit on GraphQL queries, it still allows for enough aliases to cause significant resource exhaustion. The absence of default rate limiting means that this exploitation can lead to excessive CPU, memory, and I/O usage, potentially degrading or crashing the service. This vulnerability can be triggered by any authenticated user, including those with minimal read-only permissions.
Impact
Exploitation of this vulnerability causes severe degradation of service or a complete outage, as the simultaneous execution of complex database queries exhausts server resources and the connection pool, impacting all users. The vulnerability requires only low privileges, as any authenticated user with read-only access to a single collection can initiate the resource exhaustion. The impact scales linearly with the number of aliases used and the depth of the relational queries, and is compounded by the concurrency of multiple simultaneous requests.
Remediation
Users can upgrade to Directus version 11.17.0 or later, where this vulnerability has been addressed by introducing a request-scoped resolver deduplication mechanism. This new mechanism ensures that when multiple aliases in a single request call the same resolver with the same arguments, only the first invocation is executed, while subsequent aliases share the result. This change effectively removes the amplification factor, regardless of the number of aliases in a query.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.