Directus DoS Vulnerability - GraphQL Resolver Amplification
Plattform
nodejs
Komponente
directus
Behoben in
11.17.0
GHSA-6q22-g298-grjh describes a Denial of Service (DoS) vulnerability affecting Directus. The vulnerability stems from the GraphQL specification allowing repeated fields with aliases in a single query, which Directus resolves independently without deduplication. An attacker can exploit this by crafting unauthenticated GraphQL queries with multiple aliases of the health check resolver, causing excessive resource consumption. This issue is resolved in version 11.17.0.
So beheben
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Häufig gestellte Fragen
What is GHSA-6q22-g298-grjh?
GHSA-6q22-g298-grjh is a Denial of Service (DoS) vulnerability in Directus caused by the amplification of GraphQL resolver invocations through aliased queries.
Am I affected by GHSA-6q22-g298-grjh?
You are affected if you are using a version of Directus prior to 11.17.0 and have the GraphQL endpoint exposed. Attackers can exploit this vulnerability without authentication.
How do I fix GHSA-6q22-g298-grjh?
Upgrade to Directus version 11.17.0 or later. This version includes a fix that deduplicates resolver invocations, preventing the amplification of resource consumption.
Abhängigkeiten automatisch überwachen
Werde benachrichtigt, wenn neue Schwachstellen deine Projekte betreffen. Für immer kostenlos.
Kostenlos starten