CVE-2024-28239 in Directus
Summary
by MITRE • 03/12/2024
Directus is a real-time API and App dashboard for managing SQL database content. The authentication API has a `redirect` parameter that can be exploited as an open redirect vulnerability as the user tries to log in via the API URL. There's a redirect that is done after successful login via the Auth API GET request to `directus/auth/login/google?redirect=http://malicious-fishing-site.com`. While credentials don't seem to be passed to the attacker site, the user can be phished into clicking a legitimate directus site and be taken to a malicious site made to look like a an error message "Your password needs to be updated" to phish out the current password. Users who login via OAuth2 into Directus may be at risk. This issue has been addressed in version 10.10.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/16/2025
The vulnerability identified as CVE-2024-28239 represents a critical open redirect flaw within the Directus platform that compromises user authentication security. This issue exists in the authentication API's redirect parameter handling mechanism, specifically affecting the OAuth2 login flow where users authenticate through external providers like Google. The vulnerability manifests when users attempt to log in via the API URL directus/auth/login/google, where the redirect parameter accepts arbitrary URLs without proper validation or sanitization. This flaw allows attackers to craft malicious redirect URLs that can deceive users into believing they are accessing legitimate Directus interfaces while actually being directed to attacker-controlled domains designed for credential harvesting.
The technical implementation of this vulnerability stems from insufficient input validation within the authentication flow, where the redirect parameter undergoes no proper sanitization or domain verification before being processed. This open redirect condition creates a dangerous attack surface that enables social engineering campaigns targeting Directus users. The flaw operates at the application layer and specifically affects the web application's session management and authentication mechanisms, making it particularly dangerous for environments where users frequently authenticate through OAuth2 providers. The vulnerability is classified under CWE-601 as an open redirect vulnerability, which directly maps to the ATT&CK technique T1566.002 for phishing with a fake login page, where the malicious redirect serves as the initial vector for credential theft.
The operational impact of this vulnerability extends beyond simple redirection, creating a sophisticated phishing attack vector that can result in unauthorized access to user accounts and sensitive database content. Attackers can craft convincing malicious sites that mimic legitimate Directus error messages such as "Your password needs to be updated" to exploit user trust and prompt credential submission. This attack is particularly effective because it leverages the legitimate Directus domain as a trusted entry point, making the phishing attempt more convincing to users who expect to see authentic Directus interfaces. The vulnerability affects all users who authenticate through OAuth2 providers, making it a widespread concern across organizations using Directus for database content management and API services. The attack chain typically involves users clicking on links that appear legitimate but redirect them to malicious sites, potentially leading to account compromise and unauthorized database access.
Organizations utilizing Directus must prioritize immediate remediation through upgrading to version 10.10.0 or later, which contains the necessary patches to address this vulnerability. The lack of known workarounds means that defensive measures must rely entirely on version upgrades, as no alternative mitigation strategies exist for this specific flaw. Security teams should implement comprehensive monitoring of authentication logs to detect potential exploitation attempts, particularly looking for unusual redirect patterns or authentication failures that may indicate phishing attempts. Additionally, organizations should conduct user awareness training to educate staff about recognizing suspicious redirects and phishing attempts, especially when navigating to authentication portals. The vulnerability's impact on the broader security posture of Directus installations underscores the importance of maintaining up-to-date software versions and implementing robust security monitoring practices. This vulnerability demonstrates how seemingly minor input validation flaws can create significant security risks in authentication systems, emphasizing the critical need for thorough security testing of all user-facing parameters in web applications.