CVE-2024-46990 – This vulnerability in Directus allows attackers... (How to Fix)

Q: What is the severity of CVE-2024-46990?

CVE-2024-46990 has a CVSS score of 5.0 (MEDIUM). This vulnerability in Directus allows attackers to bypass localhost access restrictions by using alternative loopback IP addresses like 127.0.0.2 instead of just 127.0.0.1. This affects Directus instances where administrators rely on default IP filtering to block localhost access. Users of vulnerable Directus versions are affected.

📋 TL;DR

This vulnerability in Directus allows attackers to bypass localhost access restrictions by using alternative loopback IP addresses like 127.0.0.2 instead of just 127.0.0.1. This affects Directus instances where administrators rely on default IP filtering to block localhost access. Users of vulnerable Directus versions are affected.

💻 Affected Systems

Products:

Directus

Versions: All versions before 10.13.3 and 11.1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects configurations using IP filtering to block localhost access

📦 What is this software?

Directus by Monospace

View all CVEs affecting Directus →

Directus by Monospace

View all CVEs affecting Directus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access restricted Directus functionality or data intended only for localhost access, potentially leading to unauthorized data exposure or privilege escalation.

🟠

Likely Case

Unauthorized users bypass intended access controls to reach admin interfaces or APIs that should only be accessible from localhost.

🟢

If Mitigated

With proper CIDR range blocking, all 127.x.x.x addresses are blocked, preventing the bypass entirely.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires knowledge of the vulnerability and ability to access the Directus instance from a network perspective

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.13.3 or 11.1.0

Vendor Advisory: https://github.com/directus/directus/security/advisories/GHSA-68g8-c275-xf2m

Restart Required: Yes

Instructions:

1. Backup your Directus instance and database. 2. Update Directus to version 10.13.3 or 11.1.0 using your package manager. 3. Restart the Directus service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Block 127.0.0.0/8 CIDR range

all

Manually configure IP filtering to block the entire 127.x.x.x loopback range instead of just 127.0.0.1

Configure your firewall or application settings to block 127.0.0.0/8

🧯 If You Can't Patch

Implement network-level firewall rules to block all 127.x.x.x addresses from accessing the Directus instance
Use application-level middleware to validate and reject requests from any 127.x.x.x IP address

🔍 How to Verify

Check if Vulnerable:

Check if your Directus version is below 10.13.3 or 11.1.0 and if you have IP filtering configured for localhost

Check Version:

directus version or check package.json for version number

Verify Fix Applied:

After updating, test that requests from 127.0.0.2 or other 127.x.x.x addresses are properly blocked

📡 Detection & Monitoring

Log Indicators:

Access attempts from 127.x.x.x addresses other than 127.0.0.1
Failed authentication or authorization attempts from loopback addresses

Network Indicators:

Traffic to Directus from 127.x.x.x IPs
Unusual access patterns from localhost variants

SIEM Query:

source_ip:/127\.\d+\.\d+\.\d+/ AND dest_port:8055 AND (app:"directus" OR user_agent:"Directus")

📊 Metadata

CVE ID: CVE-2024-46990

CVSS v3 Score: 5.0 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CWE: CWE-284

Published: September 18, 2024

Last Updated: November 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-46990, you might also want to check these: