Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-vw58-ph65-6rxp

GitHub Security Advisory

Directus inserts access token from query string into logs

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Summary
Access token from query string is not redacted and is potentially exposed in system logs which may be persisted.

### Details
The access token in `req.query` is not redacted when the `LOG_STYLE` is set to `raw`. If these logs are not properly sanitized or protected, an attacker with access to it can potentially gain administrative control, leading to unauthorized data access and manipulation.

### PoC
1. Set `LOG_LEVEL="raw"` in the environment.
2. Send a request with the `access_token` in the query string.
3. Notice that the `access_token` in `req.query` is not redacted.

### Impact
It impacts systems where the `LOG_STYLE` is set to `raw`. The `access_token` in the query could potentially be a long-lived static token. Users with impacted systems should rotate their static tokens if they were provided using query string.

Affected Packages

npm @directus/api
Affected versions: 0 (fixed in 21.0.0)

Related CVEs

CVE-2024-47822

Key Information

GHSA ID
GHSA-vw58-ph65-6rxp
Published
April 14, 2025 3:20 PM
Last Modified
April 14, 2025 3:20 PM
CVSS Score
5.0 /10
Primary Ecosystem
npm
Primary Package
@directus/api
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 15, 2025 6:32 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.