Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-68g8-c275-xf2m

GitHub Security Advisory

Directus vulnerable to SSRF Loopback IP filter bypass

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Impact
If you're relying on blocking access to localhost using the default `0.0.0.0` filter this can be bypassed using other registered loopback devices (like `127.0.0.2` - `127.127.127.127`)

### Workaround
You can block this bypass by manually adding the `127.0.0.0/8` CIDR range which will block access to any `127.X.X.X` ip instead of just `127.0.0.1`.

Affected Packages

npm directus
Affected versions: 0 (fixed in 10.13.3)
npm directus
Affected versions: 11.0.0 (fixed in 11.1.0)
npm @directus/api
Affected versions: 0 (fixed in 21.0.0)
npm @directus/api
Affected versions: 22.0.0 (fixed in 22.1.1)

Related CVEs

CVE-2024-46990

Key Information

GHSA ID
GHSA-68g8-c275-xf2m
Published
September 18, 2024 5:42 PM
Last Modified
September 18, 2024 7:25 PM
CVSS Score
5.0 /10
Primary Ecosystem
npm
Primary Package
directus
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 12, 2025 6:34 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.