PT-2025-12978 · Unknown+1 · @Directus/Storage-Driver-S3+1
Published
2025-03-26
·
Updated
2025-11-18
·
CVE-2025-30350
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
Directus versions 9.22.0 through 11.4.99
@directus/storage-driver-s3 versions 9.22.0 through 12.0.0
Description
The issue affects the
@directus/storage-driver-s3 package, causing asset unavailability after a burst of HEAD requests. Some tools use the HEAD method to check the existence of files, and when making many HEAD requests at once, all assets are eventually served as 403, resulting in denial of assets for all policies of Directus, including Admin and Public.Recommendations
For Directus versions 9.22.0 through 11.4.99, update the
@directus/storage-driver-s3 package to version 12.0.1 or later.
For @directus/storage-driver-s3 versions 9.22.0 through 12.0.0, update to version 12.0.1 or later.Exploit
Fix
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Directus/Storage-Driver-S3
Directus