CVE-2024-54151
📋 TL;DR
This vulnerability in Directus allows unauthenticated users to perform any CRUD operations or subscribe to data changes with full admin privileges when websocket authentication is set to 'public'. It affects Directus instances running versions 11.0.0 through 11.2.x with WEBSOCKETS_GRAPHQL_AUTH or WEBSOCKETS_REST_AUTH configured as 'public'.
💻 Affected Systems
- Directus
📦 What is this software?
Directus by Monospace
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all data: attackers can read, modify, delete all database content, create new admin users, and exfiltrate sensitive information.
Likely Case
Unauthorized data access and modification: attackers can view and alter user-defined collections, potentially exposing sensitive business data or personal information.
If Mitigated
Limited impact if websocket authentication is properly configured to require authentication, restricting access to authorized users only.
🎯 Exploit Status
Exploitation requires no authentication and minimal technical skill - attackers simply need to connect to the vulnerable websocket endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.3.0
Vendor Advisory: https://github.com/directus/directus/security/advisories/GHSA-849r-qrwj-8rv4
Restart Required: Yes
Instructions:
1. Update Directus to version 11.3.0 or later. 2. Restart the Directus service. 3. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Disable public websocket authentication
allChange WEBSOCKETS_GRAPHQL_AUTH and WEBSOCKETS_REST_AUTH environment variables from 'public' to 'handshake' or 'strict'
export WEBSOCKETS_GRAPHQL_AUTH=handshake
export WEBSOCKETS_REST_AUTH=handshake
Block websocket endpoints at network level
allUse firewall rules to restrict access to websocket endpoints (typically /websocket or /graphql/websocket)
🧯 If You Can't Patch
- Immediately change WEBSOCKETS_GRAPHQL_AUTH and WEBSOCKETS_REST_AUTH from 'public' to 'handshake' or 'strict'
- Implement network-level restrictions to block unauthenticated access to websocket endpoints
🔍 How to Verify
Check if Vulnerable:
Check Directus version (must be 11.0.0-11.2.x) AND verify WEBSOCKETS_GRAPHQL_AUTH or WEBSOCKETS_REST_AUTH environment variables are set to 'public'Check Version:
directus versionVerify Fix Applied:
Confirm Directus version is 11.3.0 or later AND websocket authentication is properly configured📡 Detection & Monitoring
Log Indicators:
- Unauthenticated websocket connections performing admin operations
- CRUD operations from unauthenticated IP addresses
Network Indicators:
- Unusual websocket traffic patterns
- High volume of websocket connections from external sources
SIEM Query:
source="directus" AND (event="websocket_connection" AND user="unauthenticated")