CVE-2024-34709

Public Exploit
Directus Lacks Session Tokens Invalidation

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.0, session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The `directus_session` gets destroyed and the cookie gets deleted but if the cookie value is captured, it will still work for the entire expiry time which is set to 1 day by default. Making it effectively a long lived unrevokable stateless token instead of the stateful session token it was meant to be. This vulnerability is fixed in 10.11.0.

Category

5.4
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.11%
Vendor Advisory github.com
Affected: directus directus
Published at:
Updated at:

References

Link Tags
https://github.com/directus/directus/security/advisories/GHSA-g65h-35f3-x2w3 vendor advisory exploit
https://github.com/directus/directus/commit/a6172f8a6a0f31a6bf4305a090de172ebfb63bcf patch

Frequently Asked Questions

What is the severity of CVE-2024-34709?
CVE-2024-34709 has been scored as a medium severity vulnerability.
How to fix CVE-2024-34709?
To fix CVE-2024-34709, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-34709 being actively exploited in the wild?
It is possible that CVE-2024-34709 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-34709?
CVE-2024-34709 affects directus directus.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.