CVE-2024-39701 in Directus
Summary
by MITRE • 07/08/2024
Directus is a real-time API and App dashboard for managing SQL database content. Directus >=9.23.0, <=v10.5.3 improperly handles _in, _nin operators. It evaluates empty arrays as valid so expressions like {"role": {"_in": $CURRENT_USER.some_field}} would evaluate to true allowing the request to pass. This results in Broken Access Control because the rule fails to do what it was intended to do: Pass rule if **field** matches any of the **values**. This vulnerability is fixed in 10.6.0.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/04/2025
The vulnerability identified as CVE-2024-39701 affects Directus, a real-time API and application dashboard designed for managing SQL database content. This issue specifically impacts versions ranging from 9.23.0 through 10.5.3, creating a critical security flaw in the platform's access control mechanisms. The vulnerability stems from improper handling of the _in and _nin operators within Directus's rule evaluation system, which fundamentally undermines the intended security controls that govern user permissions and data access.
The technical flaw manifests when the system evaluates expressions containing empty arrays as valid inputs during rule processing. This occurs particularly when using the _in operator with dynamic user fields such as {"role": {"_in": $CURRENT_USER.some_field}} where the evaluation incorrectly treats empty array results as true conditions. The system fails to properly validate that the array contains actual values before processing the comparison logic, allowing unauthorized access when user fields return empty results. This behavior represents a clear deviation from expected operational semantics where the _in operator should only succeed when the target field matches any of the explicitly provided values within the array.
The operational impact of this vulnerability results in broken access control, directly compromising the integrity of Directus's permission system. When an attacker can manipulate the evaluation of user fields to bypass access restrictions, they effectively gain unauthorized access to data and functionality that should remain restricted. The vulnerability essentially allows attackers to craft requests that would normally be blocked by access control rules, enabling them to escalate privileges or access sensitive information. This represents a significant risk to organizations relying on Directus for content management and database access control, as it undermines the fundamental security model that protects against unauthorized data access and modification.
This vulnerability aligns with CWE-284, which addresses improper access control in software systems, and maps to ATT&CK technique T1078 for valid accounts and privilege escalation. The flaw enables attackers to exploit weak input validation and rule evaluation processes, potentially allowing them to bypass security controls that should prevent unauthorized access to database resources. Organizations using affected Directus versions should immediately implement mitigations including upgrading to version 10.6.0 where the vulnerability has been addressed, implementing additional input validation measures, and conducting thorough security reviews of existing access control rules. The fix in version 10.6.0 specifically addresses the improper handling of empty arrays during _in and _nin operator evaluation, ensuring that only properly populated arrays trigger successful access control decisions.