7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-36128

GHSA ID

GHSA-632p-p495-25m5

EPSS Score

0.63157%

CWE

CWE-754

Published

6/4/2024

Updated

6/4/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-36128

CVE-2024-36128:
Directus is soft-locked by providing a string value to random string util

Describe the Bug

Providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate random strings platform wide. This creates a denial of service situation where logged in sessions can no longer be refreshed as sessions depend on the capability to generate a random session ID.

To Reproduce

Test if the endpoint is working and accessible, GET http://localhost:8055/utils/random/string
Do a bad request GET http://localhost:8055/utils/random/string?length=foo
After this all calls to GET http://localhost:8055/utils/random/string will return an empty string instead of a random string
In this error situation you'll see authentication refreshes fail for the app and api.

Impact

This counts as an unauthenticated denial of service attack vector so this impacts all unpatched instances reachable over the internet.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-36128

GHSA ID

GHSA-632p-p495-25m5

EPSS Score

0.63157%

CWE

CWE-754

Published

6/4/2024

Updated

6/4/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
directus	npm	<= 10.11.1	10.11.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Both functions handle the random string generation endpoint and shared the same vulnerability pattern: 1) Missing type validation for the 'length' parameter allowed non-integer inputs 2) Direct conversion using Number() without validation produced NaN 3) Passing invalid values to nanoid corrupted application state. The commit diff shows both locations received validation fixes (Joi schema in utils.ts, bounds check in graphql.ts), confirming these were the vulnerable entry points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### **s*ri** t** *u* Provi*in* * non-num*ri* l*n*t* v*lu* to t** r*n*om strin* **n*r*tion utility will *r**t* * m*mory issu* *r**kin* t** **p**ility to **n*r*t* r*n*om strin*s pl*t*orm wi**. T*is *r**t*s * **ni*l o* s*rvi** situ*tion w**r* lo**** in

Reasoning

*ot* *un*tions **n*l* t** r*n*om strin* **n*r*tion *n*point *n* s**r** t** s*m* vuln*r**ility p*tt*rn: *) Missin* typ* v*li**tion *or t** 'l*n*t*' p*r*m*t*r *llow** non-int***r inputs *) *ir**t *onv*rsion usin* Num**r() wit*out v*li**tion pro*u*** N*

7.5

Basic Information

Concerned about an active attack path?

CVE-2024-36128: Directus is soft-locked by providing a string value to random string util

Describe the Bug

To Reproduce

Impact

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-36128:
Directus is soft-locked by providing a string value to random string util

Vulnerability Intelligence
Miggo AI