CVE-2024-36128

Name of the Vulnerable Software and Affected Versions Directus versions prior to 10.11.2

Description Directus is a real-time API and App dashboard for managing SQL database content. Providing a non-numeric length value to the random string generation utility will create a memory issue, breaking the capability to generate random strings platform-wide. This creates a denial of service situation where logged-in sessions can no longer be refreshed, as sessions depend on the capability to generate a random session ID. The issue can be triggered by accessing the "GET http://localhost:8055/utils/random/string" endpoint with a non-numeric length value, such as "foo". After this, all calls to "GET http://localhost:8055/utils/random/string" will return an empty string instead of a random string, causing authentication refreshes to fail for the app and API.

Recommendations To resolve the issue, update to version 10.11.2 or later. As a temporary workaround, consider restricting access to the vulnerable "utils/random/string" endpoint until a patch is available. Avoid using non-numeric length values in the length parameter of the affected API endpoint until the issue is resolved.