3.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-30351

GHSA ID

GHSA-56p6-qw3c-fq2g

EPSS Score

0.11765%

CWE

CWE-672

Published

3/26/2025

Updated

3/27/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-30351

CVE-2025-30351: Suspended Directus user can continue to use session token to access API

Summary

Since the user status is not checked when verifying a session token a suspended user can use the token generated in session auth mode to access the API despite their status.

Details

There is a check missing in verifySessionJWT to verify that a user is actually still active and allowed to access the API. Right now one can extract the session token obtained by, e.g. login in to the app while still active and then, after the user has been suspended continue to use that token until it expires.

PoC

Create an active user
Log in with that user and note the session cookie
Suspend the user (and don't trigger an /auth/refresh call, as that invalidates the session
Access the API with Authorization: Bearer <token>

Impact

This weakens the security of suspending users.

(GitHub Advisory)

3.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-30351

GHSA ID

GHSA-56p6-qw3c-fq2g

EPSS Score

0.11765%

CWE

CWE-672

Published

3/26/2025

Updated

3/27/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
directus	npm	>= 10.10.0, < 11.15.0	11.15.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing user status checks during session token validation. While the actual patch adds session clearing mechanisms (clearUserSessions) and accountability tracking, the core vulnerability exists in verifySessionJWT which wasn't modified in the provided diff but is explicitly called out in the advisory. Runtime detection would focus on the token verification flow where user status isn't validated, making verifySessionJWT the primary vulnerable function visible in call stacks during exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry Sin** t** us*r st*tus is not ****k** w**n v*ri*yin* * s*ssion tok*n * susp*n*** us*r **n us* t** tok*n **n*r*t** in s*ssion *ut* mo** to ****ss t** *PI **spit* t**ir st*tus. ### **t*ils T**r* is * ****k missin* in `v*ri*yS*ssionJWT` to v

Reasoning

T** vuln*r**ility st*ms *rom missin* us*r st*tus ****ks *urin* s*ssion tok*n v*li**tion. W*il* t** **tu*l p*t** ***s s*ssion *l**rin* m****nisms (`*l**rUs*rS*ssions`) *n* ***ount**ility tr**kin*, t** *or* vuln*r**ility *xists in `v*ri*yS*ssionJWT` w*

3.5

Basic Information

Concerned about an active attack path?

CVE-2025-30351: Suspended Directus user can continue to use session token to access API

Summary

Details

PoC

Impact

3.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI