CVE-2024-39699
📋 TL;DR
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Directus that allows attackers to bypass DNS resolution protections via HTTP redirects. It enables blind SSRF attacks against internal IP addresses, though responses are intercepted and not shown to the attacker. All Directus instances using vulnerable versions are affected.
💻 Affected Systems
- Directus
📦 What is this software?
Directus by Monospace
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, potentially leading to data exfiltration, internal network reconnaissance, or chaining with other vulnerabilities for further exploitation.
Likely Case
Blind SSRF allowing limited internal service interaction without response visibility, potentially enabling port scanning or triggering internal service actions.
If Mitigated
Limited impact due to response interception, but still provides some internal network access capability.
🎯 Exploit Status
Requires ability to trigger file import via URL, typically authenticated access needed
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.9.3
Vendor Advisory: https://github.com/directus/directus/security/advisories/GHSA-8p72-rcq4-h6pw
Restart Required: Yes
Instructions:
1. Update Directus to version 10.9.3 or later
2. Restart the Directus service
3. Verify the fix by testing file import functionality
🔧 Temporary Workarounds
Disable file import via URL
allTemporarily disable the file import from URL functionality until patching
Configure Directus to disable URL-based file imports in settings
🧯 If You Can't Patch
- Implement network-level restrictions to block outbound requests from Directus to internal IP ranges
- Use WAF rules to detect and block SSRF patterns in file import requests
🔍 How to Verify
Check if Vulnerable:
Check Directus version - if below 10.9.3, system is vulnerableCheck Version:
Check Directus admin interface or package.json for versionVerify Fix Applied:
After updating to 10.9.3+, test file import via URL with redirect attempts to internal addresses📡 Detection & Monitoring
Log Indicators:
- File import requests with URLs containing redirects
- Requests to internal IP addresses from Directus
Network Indicators:
- Outbound connections from Directus to internal IP ranges following redirects
SIEM Query:
source="directus" AND (url_import OR redirect) AND (127.0.0.1 OR 10.* OR 172.16.* OR 192.168.*)🔗 References
- https://github.com/directus/directus/commit/d577b44231c0923aca99cac5770fd853801caee1
- https://github.com/directus/directus/security/advisories/GHSA-8p72-rcq4-h6pw
- https://github.com/directus/directus/commit/d577b44231c0923aca99cac5770fd853801caee1
- https://github.com/directus/directus/security/advisories/GHSA-8p72-rcq4-h6pw
