Directus vulnerable to unhandled exception on illegal filename_disk value

The Directus process can be aborted by having an authorized user update the filename_disk value to a folder and accessing that file through the /assets endpoint.

The vulnerability is patched and released in v9.15.0.

You can prevent this problem by making sure no (untrusted) non-admin users have permissions to update the filename_disk field on directus_files.

For more information

If you have any questions or comments about this advisory:

• Open a Discussion in directus/directus
• Email us at [email protected]

Credits

This vulnerability was first discovered and reported by Witold Gorecki.