Directus is a real-time API and App dashboard for managing SQL database content. The `@directus/storage-driver-s3` package starting in version 9.22.0 and prior to version 12.0.1, corresponding to Directus starting in version 9.22.0 and prior to 11.5.0, is vulnerable to asset unavailability after a burst of HEAD requests. Some tools use Directus to sync content and assets, and some of those tools use the HEAD method to check the existence of files. When making many HEAD requests at once, at some point, all assets are eventually served as 403. This causes denial of assets for all policies of Directus, including Admin and Public. Version 12.0.1 of the `@directus/storage-driver-s3` package, corresponding to version 11.5.0 of Directus, fixes the issue.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00124.

Exploitation poc

Automatable no

Technical Impact partial

Affected Vendors & Products

Vendors Products
Directus Subscribe
Directus Subscribe
Monospace Subscribe
Directus Subscribe

Configuration 1 [-]

cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors Products
Directus Subscribe
Directus Subscribe
Advisories
Source ID Title
EUVD EUVD EUVD-2025-8231 Directus's S3 assets become unavailable after a burst of HEAD requests
Github GHSA Github GHSA GHSA-rv78-qqrq-73m5 Directus's S3 assets become unavailable after a burst of HEAD requests
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://github.com/directus/directus/security/advisories/GHSA-rv78-qqrq-73m5 cve-icon cve-icon
History

Tue, 18 Nov 2025 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Monospace
Monospace directus
CPEs cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*
Vendors & Products Monospace
Monospace directus

Wed, 26 Mar 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 26 Mar 2025 17:00:00 +0000

Type Values Removed Values Added
Description Directus is a real-time API and App dashboard for managing SQL database content. The `@directus/storage-driver-s3` package starting in version 9.22.0 and prior to version 12.0.1, corresponding to Directus starting in version 9.22.0 and prior to 11.5.0, is vulnerable to asset unavailability after a burst of HEAD requests. Some tools use Directus to sync content and assets, and some of those tools use the HEAD method to check the existence of files. When making many HEAD requests at once, at some point, all assets are eventually served as 403. This causes denial of assets for all policies of Directus, including Admin and Public. Version 12.0.1 of the `@directus/storage-driver-s3` package, corresponding to version 11.5.0 of Directus, fixes the issue.
Title Directus's S3 assets become unavailable after a burst of HEAD requests
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2025-03-26T18:04:30.065Z

Reserved: 2025-03-21T14:12:06.269Z

Link: CVE-2025-30350

cve-icon Vulnrichment

Updated: 2025-03-26T17:10:03.368Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-26T17:15:27.093

Modified: 2025-11-18T17:44:38.713

Link: CVE-2025-30350

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-07-13T11:06:52Z

Weaknesses