CVE-2025-30225 – This vulnerability in Directus's S3 storage dri... (How to Fix)

Q: What is the severity of CVE-2025-30225?

CVE-2025-30225 has a CVSS score of 5.3 (MEDIUM). This vulnerability in Directus's S3 storage driver allows attackers to cause denial of service for all assets by sending multiple malformed transformation requests. When exploited, all assets become unavailable (returning 403 errors) for both admin and public users. This affects Directus installations using the @directus/storage-driver-s3 package between versions 9.22.0 and 12.0.1.

📋 TL;DR

This vulnerability in Directus's S3 storage driver allows attackers to cause denial of service for all assets by sending multiple malformed transformation requests. When exploited, all assets become unavailable (returning 403 errors) for both admin and public users. This affects Directus installations using the @directus/storage-driver-s3 package between versions 9.22.0 and 12.0.1.

💻 Affected Systems

Products:

Directus
@directus/storage-driver-s3

Versions: Directus 9.22.0 to 11.4.x; @directus/storage-driver-s3 9.22.0 to 12.0.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations using the S3 storage driver. Other storage drivers are not vulnerable.

📦 What is this software?

Directus by Monospace

View all CVEs affecting Directus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of all assets in the Directus system, making all media/files unavailable to all users including administrators, potentially disrupting business operations.

🟠

Likely Case

Temporary unavailability of assets during attack bursts, causing service disruption for users trying to access media/files through the Directus interface or API.

🟢

If Mitigated

Limited impact with proper rate limiting and monitoring in place, allowing quick detection and mitigation of attack attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending multiple malformed transformation requests, which can be automated with simple scripts.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Directus 11.5.0 or @directus/storage-driver-s3 12.0.1

Vendor Advisory: https://github.com/directus/directus/security/advisories/GHSA-j8xj-7jff-46mx

Restart Required: Yes

Instructions:

1. Update Directus to version 11.5.0 or higher. 2. If using standalone @directus/storage-driver-s3 package, update to version 12.0.1 or higher. 3. Restart the Directus application/service.

🔧 Temporary Workarounds

Implement Rate Limiting

all

Add rate limiting to transformation request endpoints to prevent burst attacks

# Configure rate limiting in your reverse proxy or application firewall
# Example nginx rate limiting: limit_req_zone $binary_remote_addr zone=transform:10m rate=10r/s;

Switch Storage Driver

all

Temporarily switch to a different storage driver if S3 is not required

# Update Directus configuration to use local or alternative storage driver
STORAGE_DRIVER=local

🧯 If You Can't Patch

Implement strict rate limiting on transformation endpoints
Monitor for unusual patterns of transformation requests and block suspicious IPs

🔍 How to Verify

Check if Vulnerable:

Check Directus version: if between 9.22.0 and 11.4.x, and using S3 storage driver, you are vulnerable.

Check Version:

npm list @directus/storage-driver-s3 or check Directus admin panel version

Verify Fix Applied:

Verify Directus version is 11.5.0+ or @directus/storage-driver-s3 is 12.0.1+ and test asset transformation functionality.

📡 Detection & Monitoring

Log Indicators:

Sudden increase in 403 errors for asset requests
Multiple failed transformation requests from same IP
Error logs mentioning S3 storage driver failures

Network Indicators:

Bursts of requests to transformation endpoints
Increased error rate for asset endpoints

SIEM Query:

source="directus.logs" AND (status=403 OR message="transformation") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2025-30225

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-770

EPSS Score: 0.18% exploit probability (39.4th percentile)

Published: March 26, 2025

Last Updated: November 18, 2025

🔗 References

https://github.com/directus/directus/security/advisories/GHSA-j8xj-7jff-46mx Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-30225, you might also want to check these: