Executive Summary

This vulnerability exists in Directus versions prior to 11.17.0 in its GraphQL endpoints (/graphql and /graphql/system). The issue is that these endpoints did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive relational query multiple times in one request. This forces the server to execute many independent complex database queries concurrently, increasing database load linearly with the number of aliases used.

Although there is a token limit on GraphQL queries, it still allows enough aliases to cause significant resource exhaustion. The relational depth limit applies per alias but does not reduce the total number of queries executed. Additionally, rate limiting is disabled by default, so no built-in throttle prevents this from causing CPU, memory, and I/O exhaustion, which can degrade or crash the service. Any authenticated user, even with minimal read-only permissions, can trigger this condition.

This vulnerability was fixed in Directus version 11.17.0.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to significant resource exhaustion on the server hosting Directus. By exploiting GraphQL aliasing, an authenticated user can cause the server to execute many complex database queries concurrently, resulting in high CPU, memory, and I/O usage.

The impact includes degraded service performance or even crashing the service, which can cause denial of service for legitimate users.

Since any authenticated user, including those with minimal read-only permissions, can trigger this, it poses a risk even from low-privileged accounts.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Directus to version 11.17.0 or later, where the issue has been fixed.

Additionally, consider enabling rate limiting on GraphQL queries to prevent resource exhaustion, as it is disabled by default.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves exploitation of Directus GraphQL endpoints (/graphql and /graphql/system) by sending requests with multiple GraphQL aliases to cause resource exhaustion.

To detect this vulnerability on your system or network, you can monitor for unusually high numbers of GraphQL alias invocations within single requests to these endpoints, especially from authenticated users.

Since no specific detection commands or tools are provided in the available information, general approaches include:

• Inspect HTTP request logs for POST requests to /graphql or /graphql/system containing GraphQL queries with many aliases.
• Use network monitoring tools to identify spikes in CPU, memory, or database load correlated with GraphQL endpoint usage.
• Implement logging or tracing on the Directus server to capture the number of resolver invocations per request.

Without specific commands or scripts provided, detection relies on analyzing request patterns and resource usage related to the GraphQL endpoints.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an authenticated user to cause resource exhaustion on the server by exploiting GraphQL aliasing to multiply database load, potentially leading to service degradation or crashes.

However, there is no information provided about any impact on data confidentiality, integrity, or availability beyond resource exhaustion, nor any direct mention of effects on compliance with standards such as GDPR or HIPAA.

Therefore, based on the provided information, it is not possible to determine how this vulnerability affects compliance with common standards and regulations.

Useful 0 Not Useful 0