CVE-2024-27296: Directus version number disclosure
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.47856%
CWE
Published
3/1/2024
Updated
3/1/2024
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| directus | npm | <= 10.8.2 | 10.8.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from hardcoded version references through the DIRECTUS_VERSION constant, which was injected via Vite's build process. The init function in main.ts used this constant for logging, and navigation.vue used it in UI rendering - both embedding the version in client-side JS bundles. The commit patched this by removing these direct references and moving version fetching to authenticated API calls in server.ts. These functions were clearly identified as vulnerable through their direct use of the build-injected constant that exposed version information.