7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-54151

GHSA ID

GHSA-849r-qrwj-8rv4

EPSS Score

0.31141%

CWE

CWE-200

Published

12/9/2024

Updated

12/9/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-54151

CVE-2024-54151: Directus allows unauthenticated access to WebSocket events and operations

Summary

When setting WEBSOCKETS_GRAPHQL_AUTH or WEBSOCKETS_REST_AUTH to "public", an unauthenticated user is able to do any of the supported operations (CRUD, subscriptions) with full admin privileges.

Details

Accountability for unauthenticated WebSocket requests is set to null, which used to be "public permissions" until the Permissions Policy update which now defaults that to system/admin level access. So instead of null we need to make use of createDefaultAccountability() to ensure public permissions are used for unauthenticated users.

PoC

Start directus with

WEBSOCKETS_ENABLED=true
WEBSOCKETS_GRAPHQL_AUTH=public
WEBSOCKETS_REST_AUTH=public

Subscribe using GQL or REST or do any CRUD operation on a user created collection (system tables are not reachable with crud)

subscription {
    directus_users_mutated {
        key
        event
        data {
            id
            email
            first_name
            last_name
            password
        }
    }
}

{
   "type": "items",
   "action": "read",
   "collection": "your_collection_name"
}

3a. Open up the data studio as any user. Observe how the subscriber gets notified on each page navigation (because the users last_page gets updated, the password fields is properly redacted here)

3b. Observe receiving all available items from the your_collection_name collection.

Impact

This impacts any Directus instance that has either WEBSOCKETS_GRAPHQL_AUTH or WEBSOCKETS_REST_AUTH set to public allowing unauthenticated users to subscribe for changes on any collection or do REST CRUD operations on user defined collections ignoring permissions.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-54151

GHSA ID

GHSA-849r-qrwj-8rv4

EPSS Score

0.31141%

CWE

CWE-200

Published

12/9/2024

Updated

12/9/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
directus	npm	>= 11.0.0, < 11.3.0	11.3.0
@directus/api	npm	>= 22.2.0, < 23.2.0	23.2.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from WebSocket connection handlers initializing accountability to null. The commit diff shows both base.ts and graphql.ts were modified to replace 'null' with createDefaultAccountability(). These locations directly control authentication state for WebSocket connections, and null accountability (post-Permissions Policy update) erroneously granted admin access instead of public permissions. The files/line changes match the vulnerability description and CWE-200 exposure pattern.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry W**n s*ttin* `W**SO*K*TS_*R*P*QL_*UT*` or `W**SO*K*TS_R*ST_*UT*` to "pu*li*", *n un*ut**nti**t** us*r is **l* to *o *ny o* t** support** op*r*tions (*RU*, su*s*riptions) wit* *ull **min privil***s. ### **t*ils ***ount**ility *or un*ut**n

Reasoning

T** vuln*r**ility st*ms *rom W**So*k*t *onn**tion **n*l*rs initi*lizin* ***ount**ility to null. T** *ommit *i** s*ows *ot* `**s*.ts` *n* `*r*p*ql.ts` w*r* mo*i*i** to r*pl*** 'null' wit* `*r**t*****ult***ount**ility()`. T**s* lo**tions *ir**tly *ontr

7.5

Basic Information

Concerned about an active attack path?

CVE-2024-54151: Directus allows unauthenticated access to WebSocket events and operations

Summary

Details

PoC

Impact

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI