Session Token Exploit in Directus API Management Tool
CVE-2025-30351

3.5LOW

Key Information:

Vendor: Directus
Status: Directus
Vendor: CVE Published:; 26 March 2025

What is CVE-2025-30351?

The Directus API is vulnerable due to a flaw in session authentication that allows suspended users to retain access via previously generated session tokens. This occurs because the absence of a verification step in the verifySessionJWT function permits access even when a user’s status has changed to suspended. Attackers can exploit this by first logging in while the account is active and then continuing to use the session token for unauthorized access after suspension. The vulnerability has been addressed in version 11.5.0, which implements the necessary checks.

Affected Version(s)

directus >= 10.10.0, < 11.5.0

References

https://github.com/directus/directus/security/advisories/...

x_refsource_CONFIRM

https://github.com/directus/directus/commit/ef179931c55b5...

x_refsource_MISC

CVSS V3.1

Score:

3.5

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2025
Vulnerability Reserved
Mar 21, 2025