CVE-2022-36031

MEDIUM

Directus < 9.15.0 - Authenticated Denial of Service via filename_disk Field Manipulation

Title source: llm

Description

Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the `filename_disk` value to a folder and accessing that file through the `/assets` endpoint. This vulnerability has been patched and release v9.15.0 contains the fix. Users are advised to upgrade. Users unable to upgrade may prevent this problem by making sure no (untrusted) non-admin users have permissions to update the `filename_disk` field on `directus_files`.

References (1)

Core 1

Core References

Exploit, Mitigation, Third Party Advisory x_refsource_confirm

https://github.com/directus/directus/security/advisories/GHSA-77qm-wvqq-fg79

Scores

CVSS v3 6.5

EPSS 0.0081

EPSS Percentile 51.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-755

Status published

Products (2)

monospace/directus < 9.15.0

npm/directus 0 - 9.15.0npm

Published Aug 19, 2022

Tracked Since Feb 18, 2026