What is the severity of GHSA-56p6-qw3c-fq2g?

The severity of GHSA-56p6-qw3c-fq2g is considered moderate due to its impact on unauthorized access for suspended users.

How do I fix GHSA-56p6-qw3c-fq2g?

To fix GHSA-56p6-qw3c-fq2g, ensure that the session token verification process includes a check for the user's active status before granting API access.

Which versions of Directus are affected by GHSA-56p6-qw3c-fq2g?

Directus versions between 10.10.0 and 11.15.0 are affected by GHSA-56p6-qw3c-fq2g.

What are the potential consequences of GHSA-56p6-qw3c-fq2g?

The potential consequences of GHSA-56p6-qw3c-fq2g include unauthorized access to the API by suspended users, leading to data breaches or misuse.

Is there a workaround for GHSA-56p6-qw3c-fq2g?

Currently, the recommended approach is to update the Directus application to a patched version to mitigate the vulnerability.

Vulnerability/
GHSA-56p6-qw3c-fq2g

low

3.5

CWE

672

26/3/2025

27/3/2025

GHSA-56p6-qw3c-fq2g

First published: Wed Mar 26 2025(Updated: )

### Summary Since the user status is not checked when verifying a session token a suspended user can use the token generated in session auth mode to access the API despite their status. ### Details There is a check missing in `verifySessionJWT` to verify that a user is actually still active and allowed to access the API. Right now one can extract the session token obtained by, e.g. login in to the app while still active and then, after the user has been suspended continue to use that token until it expires. ### PoC * Create an active user * Log in with that user and note the session cookie * Suspend the user (and don't trigger an `/auth/refresh` call, as that invalidates the session * Access the API with `Authorization: Bearer <token>` ### Impact This weakens the security of suspending users.

Affected Software	Affected Version	How to fix
npm/directus	>=10.10.0<11.15.0	11.15.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of GHSA-56p6-qw3c-fq2g?
The severity of GHSA-56p6-qw3c-fq2g is considered moderate due to its impact on unauthorized access for suspended users.
How do I fix GHSA-56p6-qw3c-fq2g?
To fix GHSA-56p6-qw3c-fq2g, ensure that the session token verification process includes a check for the user's active status before granting API access.
Which versions of Directus are affected by GHSA-56p6-qw3c-fq2g?
Directus versions between 10.10.0 and 11.15.0 are affected by GHSA-56p6-qw3c-fq2g.
What are the potential consequences of GHSA-56p6-qw3c-fq2g?
The potential consequences of GHSA-56p6-qw3c-fq2g include unauthorized access to the API by suspended users, leading to data breaches or misuse.
Is there a workaround for GHSA-56p6-qw3c-fq2g?
Currently, the recommended approach is to update the Directus application to a patched version to mitigate the vulnerability.

agent/first-publish-date
agent/description
agent/weakness
agent/severity
agent/source
agent/type
agent/softwarecombine
agent/event
agent/last-modified-date
agent/references
agent/tags
collector/github-advisory-latest
source/GitHub
alias/GHSA-56p6-qw3c-fq2g
alias/CVE-2025-30351
agent/software-canonical-lookup
package-manager/npm

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.