Directus
- <= 12.0.0
A server-side request forgery (SSRF) vulnerability has been identified in Directus versions prior to 12.0.0. The issue arises in the file-import-from-URL feature, where the SSRF protection can be bypassed using the address 0.0.0.0. The application's IP denial list treats 0.0.0.0 as a keyword for local interfaces but fails to block the literal address. This oversight allows authenticated users with file-upload permissions to exploit the vulnerability by having the server fetch internal services through the /files/import endpoint, with the response returned as a downloadable file.
Exploitation of this vulnerability allows authenticated users with file-upload rights to bypass SSRF protections and access internal services on the server via localhost. The fetched data is then returned as a downloadable file, potentially exposing sensitive information.
To reproduce this vulnerability, an authenticated user with file-upload permissions can send a request to the Directus server's /files/import endpoint using the address 0.0.0.0. This request will bypass the SSRF protection and allow the server to fetch internal services, returning the response as a downloadable file.
Users can upgrade to Directus version 12.0.0 or later, where this vulnerability has been patched.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.