CVE-2025-30350

Directus's S3 assets become unavailable after a burst of HEAD requests

Description

Directus is a real-time API and App dashboard for managing SQL database content. The `@directus/storage-driver-s3` package starting in version 9.22.0 and prior to version 12.0.1, corresponding to Directus starting in version 9.22.0 and prior to 11.5.0, is vulnerable to asset unavailability after a burst of HEAD requests. Some tools use Directus to sync content and assets, and some of those tools use the HEAD method to check the existence of files. When making many HEAD requests at once, at some point, all assets are eventually served as 403. This causes denial of assets for all policies of Directus, including Admin and Public. Version 12.0.1 of the `@directus/storage-driver-s3` package, corresponding to version 11.5.0 of Directus, fixes the issue.

INFO

Published Date :

2025-03-26T16:49:48.880Z

Last Modified :

2025-03-26T18:04:30.065Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2025-30350 vulnerability.

Vendors	Products
Directus	Directus
Monospace	Directus

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-30350.

URL	Resource
https://github.com/directus/directus/security/advisories/GHSA-rv78-qqrq-73m5

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact