CVE-2024-47822 – Directus systems with LOG_STYLE set to 'raw' ex... (How to Fix)

Q: What is the severity of CVE-2024-47822?

CVE-2024-47822 has a CVSS score of 4.2 (MEDIUM). Directus systems with LOG_STYLE set to 'raw' expose access tokens in query strings within system logs. Attackers with log access can steal these tokens to gain administrative control, leading to unauthorized data access and manipulation. This affects Directus deployments using raw logging and query string authentication.

📋 TL;DR

Directus systems with LOG_STYLE set to 'raw' expose access tokens in query strings within system logs. Attackers with log access can steal these tokens to gain administrative control, leading to unauthorized data access and manipulation. This affects Directus deployments using raw logging and query string authentication.

💻 Affected Systems

Products:

Directus

Versions: Versions before 10.13.2

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when LOG_STYLE is set to 'raw' and access tokens are passed via query strings.

📦 What is this software?

Directus by Monospace

View all CVEs affecting Directus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains administrative access via stolen static tokens, leading to complete data compromise, manipulation, and potential system takeover.

🟠

Likely Case

Unauthorized data access and manipulation if logs containing tokens are exposed to attackers.

🟢

If Mitigated

Minimal impact if logs are properly secured and token rotation is implemented.

🌐 Internet-Facing: MEDIUM - Requires attacker access to logs, but internet-facing systems have broader attack surface.

🏢 Internal Only: LOW - Requires internal log access, reducing exposure compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to system logs containing unredacted tokens.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.13.2 and later

Vendor Advisory: https://github.com/directus/directus/security/advisories/GHSA-vw58-ph65-6rxp

Restart Required: Yes

Instructions:

1. Upgrade Directus to version 10.13.2 or later. 2. Restart the Directus service. 3. Rotate any static tokens that were passed via query strings.

🧯 If You Can't Patch

Change LOG_STYLE from 'raw' to another setting like 'pretty' or 'json'.
Implement strict access controls and monitoring for system logs to prevent unauthorized access.

🔍 How to Verify

Check if Vulnerable:

Check if Directus version is below 10.13.2 and LOG_STYLE environment variable is set to 'raw'.

Check Version:

Check Directus admin interface or run: node -e "console.log(require('./package.json').version)" in Directus directory

Verify Fix Applied:

Confirm Directus version is 10.13.2 or higher and verify logs no longer contain unredacted access tokens in query strings.

📡 Detection & Monitoring

Log Indicators:

Log entries containing 'access_token' parameter with visible token values in query strings.

Network Indicators:

Unusual administrative access patterns or token reuse from unexpected sources.

SIEM Query:

Search logs for patterns matching 'access_token=[alphanumeric string]' in query parameters.

📊 Metadata

CVE ID: CVE-2024-47822

CVSS v3 Score: 4.2 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-532

Published: October 8, 2024

Last Updated: April 14, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-47822, you might also want to check these: