CVE-2024-54151 in Directus
Summary
by MITRE • 12/09/2024
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0, when setting `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` to "public", an unauthenticated user is able to do any of the supported operations (CRUD, subscriptions) with full admin privileges. This impacts any Directus instance that has either `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` set to `public` allowing unauthenticated users to subscribe for changes on any collection or do REST CRUD operations on user defined collections ignoring permissions. Version 11.3.0 fixes the issue.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 11/18/2025
The vulnerability identified as CVE-2024-54151 affects Directus, a real-time API and application dashboard designed for managing SQL database content. This security flaw exists in versions 11.0.0 through 11.2.9, creating a critical access control bypass that allows unauthenticated users to perform administrative operations through websocket connections. The vulnerability stems from improper authentication mechanisms within the websocket authentication configuration, specifically when the `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` environment variables are set to "public" status. This configuration setting effectively disables authentication requirements for websocket connections, creating an attack surface where malicious actors can exploit the system without proper authorization.
The technical implementation of this vulnerability resides in the websocket authentication subsystem of Directus, which operates under CWE-285: Improper Authorization. When either of the affected environment variables is set to "public", the system fails to validate user credentials before granting access to graphql or rest operations. This misconfiguration allows attackers to establish websocket connections and execute any supported operations including create, read, update, and delete actions against database collections. The vulnerability impacts both GraphQL and REST websocket endpoints, providing attackers with comprehensive access to the database content management system. The flaw represents a fundamental breakdown in the principle of least privilege, where the system grants full administrative capabilities to any user who can establish a websocket connection, regardless of authentication status.
The operational impact of this vulnerability is severe and far-reaching for organizations using affected Directus versions. Unauthenticated attackers can subscribe to database change notifications for any collection, potentially exposing sensitive data through real-time monitoring of database modifications. Additionally, attackers can perform full CRUD operations on user-defined collections, effectively allowing them to modify, delete, or extract any data stored within the system. This vulnerability undermines the entire security model of Directus, as it bypasses all configured permissions and access controls. The implications extend beyond simple data theft, as attackers can modify system configurations, delete critical data, and potentially establish persistence mechanisms within the application. Organizations relying on Directus for content management, database administration, or API services face significant risk of data compromise and system integrity violations.
Organizations should immediately implement mitigation strategies to address this vulnerability by upgrading to Directus version 11.3.0 or later, which contains the necessary patches to resolve the authentication bypass issue. System administrators should review all configuration files and environment variables to ensure that `WEBSOCKETS_GRAPHQL_AUTH` and `WEBSOCKETS_REST_AUTH` are not set to "public" in production environments. The recommended approach involves implementing proper authentication mechanisms for websocket connections and enforcing strict access controls. Organizations should also consider implementing network-level security measures such as firewalls and access control lists to limit websocket connection access to trusted networks only. Additionally, monitoring and logging of websocket connections should be enabled to detect potential exploitation attempts. The vulnerability aligns with ATT&CK technique T1078: Valid Accounts, as it allows unauthorized access to system resources through improper configuration rather than credential theft. Regular security assessments and configuration reviews are essential to prevent similar issues in the future, particularly focusing on authentication and authorization settings in web applications.