Vulnerability in Directus API Affecting S3 Storage Driver

CVE-2025-30350

What is CVE-2025-30350?

The Directus API, widely used for managing SQL database content, contains a vulnerability in the @directus/storage-driver-s3 package affecting versions 9.22.0 through 12.0.1. This issue arises when multiple HEAD requests are made simultaneously, resulting in a denial of access to assets across all policies, including Admin and Public. This could severely impact operations for tools that rely on Directus for content synchronization. Version 12.0.1 of the S3 storage driver, corresponding to Directus version 11.5.0, addresses this vulnerability, ensuring reliable asset availability even during bursts of requests.

References