CVE-2022-23080: Server-Side Request Forgery in Directus
5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.39004%
CWE
Published
6/23/2022
Updated
1/27/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
directus | npm | >= 9.0.0-beta.2, < 9.7.0 | 9.7.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability exists in the media upload functionality where external URLs are fetched. The patch adds critical security checks: 1) URL validation with proper parsing, 2) DNS resolution to prevent domain->internal IP bypass, 3) IP deny list checks including localhost detection. The absence of these checks in the original code (v9.0.0-beta.2 to 9.6.0) made the importFile
method vulnerable to SSRF. The function
's direct handling of user-provided URLs and the addition of security logic in the patch confirm this as the vulnerability entry point.