DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-6Q22-G298-GRJH: GHSA-6Q22-G298-GRJH: Unauthenticated Denial of Service via GraphQL Alias Amplification in Directus

#security #cve #cybersecurity #ghsa

GHSA-6Q22-G298-GRJH: Unauthenticated Denial of Service via GraphQL Alias Amplification in Directus

Vulnerability ID: GHSA-6Q22-G298-GRJH
CVSS Score: 7.5
Published: 2026-04-04

Directus versions prior to 11.17.0 are vulnerable to an unauthenticated Denial of Service (DoS) attack. The vulnerability arises from a lack of request-scoped deduplication in the GraphQL API, allowing attackers to exploit GraphQL alias amplification against resource-intensive resolvers such as the system health check.

TL;DR

Unauthenticated attackers can cause a Denial of Service (DoS) in Directus < 11.17.0 by sending a single GraphQL request with thousands of aliases targeting the expensive server_health resolver, rapidly exhausting database, storage, and network resources.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Class: Uncontrolled Resource Consumption
  • CWE ID: CWE-400
  • CVSS v3.1 Score: 7.5 (High)
  • Attack Vector: Network
  • Authentication Required: None
  • Exploit Status: Proof of Concept (PoC)
  • Fixed Version: 11.17.0

Affected Systems

  • Directus GraphQL API Engine
  • Directus System Endpoint (/graphql/system)
  • Database Connection Pool
  • SMTP Integration Service
  • directus: < 11.17.0 (Fixed in: 11.17.0)

Code Analysis

Commit: Pull Re

Fix: GraphQL Request-Scoped Resolver Deduplication

Exploit Details

  • Conceptual: GraphQL alias amplification query targeting server_health

Mitigation Strategies

  • Upgrade Directus to patched version 11.17.0 or later.
  • Implement WAF rules to limit the maximum number of GraphQL aliases permitted in a single request.
  • Implement WAF rules to restrict excessive consecutive calls to the server_health field.
  • Restrict network access to the /graphql/system endpoint to trusted internal networks if public access is not required.

Remediation Steps:

  1. Update the directus dependency in the package.json file to >=11.17.0.
  2. Run npm install or yarn install to update the lockfile and install the patched version.
  3. Restart the Directus application service.
  4. Verify the update by sending a test GraphQL payload containing multiple server_health aliases and monitoring resource consumption.

References

Read the full report for GHSA-6Q22-G298-GRJH on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)