CVE-2024-34709

Name of the Vulnerable Software and Affected Versions Directus versions prior to 10.11.0

Description The issue concerns session tokens that do not get properly invalidated when a user logs out. Specifically, the directus session is destroyed, and the cookie is deleted, but if the cookie value is captured, it remains valid for its entire expiry time, which is set to 1 day by default. This effectively turns the session token into a long-lived, unrevokable stateless token instead of the intended stateful session token.

Recommendations For versions prior to 10.11.0, update to version 10.11.0 to fix the issue. As a temporary workaround, consider implementing additional checks to ensure that leaked tokens are not valid indefinitely, such as verifying the existence and expiration status of the associated directus session when authenticating a session token JWT.