CVE-2024-34708 – This vulnerability in Directus allows users wit... (How to Fix)

Q: What is the severity of CVE-2024-34708?

CVE-2024-34708 has a CVSS score of 4.9 (MEDIUM). This vulnerability in Directus allows users with permission to view collections containing redacted hashed fields to bypass redaction and access the plaintext values using the alias parameter in API requests. Affected users are those with view permissions on collections containing sensitive redacted fields in Directus installations prior to version 10.11.0.

📋 TL;DR

This vulnerability in Directus allows users with permission to view collections containing redacted hashed fields to bypass redaction and access the plaintext values using the alias parameter in API requests. Affected users are those with view permissions on collections containing sensitive redacted fields in Directus installations prior to version 10.11.0.

💻 Affected Systems

Products:

Directus

Versions: All versions prior to 10.11.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations where redacted fields exist and users have permission to view the containing collections.

📦 What is this software?

Directus by Monospace

View all CVEs affecting Directus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Exposure of sensitive plaintext data such as passwords, API keys, or other confidential information stored in redacted fields to unauthorized users.

🟠

Likely Case

Unauthorized access to sensitive information that should remain hidden, potentially leading to data breaches or privilege escalation.

🟢

If Mitigated

No exposure of sensitive data if proper field-level permissions are configured or the system is patched.

🌐 Internet-Facing: HIGH if Directus API is exposed to the internet and contains sensitive redacted fields.

🏢 Internal Only: MEDIUM as internal users with view permissions could still exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access with view permissions on affected collections. The technique is documented in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.11.0

Vendor Advisory: https://github.com/directus/directus/security/advisories/GHSA-p8v3-m643-4xqx

Restart Required: Yes

Instructions:

1. Backup your Directus instance and database. 2. Update Directus to version 10.11.0 or later using your package manager or deployment method. 3. Restart the Directus service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Remove sensitive field view permissions

all

Revoke permission to view fields containing sensitive data from users or roles that should not access them.

Use Directus permissions interface to modify role permissions

🧯 If You Can't Patch

Implement strict field-level permissions to prevent unauthorized users from viewing sensitive fields entirely.
Monitor API logs for suspicious alias parameter usage and implement WAF rules to block such requests.

🔍 How to Verify

Check if Vulnerable:

Test if authenticated API requests with ?alias[workaround]=redacted parameter return plaintext values from redacted fields.

Check Version:

Check Directus admin interface or run: node -e "console.log(require('./package.json').version)" in Directus root directory

Verify Fix Applied:

After patching, verify that alias parameter no longer bypasses redaction and returns only masked values.

📡 Detection & Monitoring

Log Indicators:

API requests containing 'alias[workaround]' parameter
Unusual access patterns to redacted fields

Network Indicators:

HTTP requests with alias parameter targeting redacted field endpoints

SIEM Query:

http.url:*alias*workaround* AND http.method:GET

📊 Metadata

CVE ID: CVE-2024-34708

CVSS v3 Score: 4.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

Published: May 14, 2024

Last Updated: January 3, 2025

🔗 References

https://github.com/directus/directus/commit/e70a90c267bea695afce6545174c2b77517d617b Patch
https://github.com/directus/directus/security/advisories/GHSA-p8v3-m643-4xqx Exploit,Mitigation,Vendor Advisory
https://github.com/directus/directus/commit/e70a90c267bea695afce6545174c2b77517d617b Patch
https://github.com/directus/directus/security/advisories/GHSA-p8v3-m643-4xqx Exploit,Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-34708, you might also want to check these: