Directus SSRF Protection Bypass Vulnerability in File Import Feature

Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Directus versions prior to 12.0.0. The issue arises in the file-import-from-URL feature, where the SSRF protection can be bypassed using the address 0.0.0.0. The application's IP denial list treats 0.0.0.0 as a keyword for local interfaces but fails to block the literal address. This oversight allows authenticated users with file-upload permissions to exploit the vulnerability by having the server fetch internal services through the /files/import endpoint, with the response returned as a downloadable file.

Impact

Exploitation of this vulnerability allows authenticated users with file-upload rights to bypass SSRF protections and access internal services on the server via localhost. The fetched data is then returned as a downloadable file, potentially exposing sensitive information.

Reproduction

To reproduce this vulnerability, an authenticated user with file-upload permissions can send a request to the Directus server's /files/import endpoint using the address 0.0.0.0. This request will bypass the SSRF protection and allow the server to fetch internal services, returning the response as a downloadable file.

Remediation

Users can upgrade to Directus version 12.0.0 or later, where this vulnerability has been patched.

Added: Jul 15, 2026, 3:27 PM
Updated: Jul 15, 2026, 3:27 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
1.3
exploitability
5.3
remediation
0.0
relevance
9.7
threat
4.8
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.