GHSA-ph52-67fq-75wj

Suggest an improvement
Source
https://github.com/advisories/GHSA-ph52-67fq-75wj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-ph52-67fq-75wj/GHSA-ph52-67fq-75wj.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-ph52-67fq-75wj
Aliases
  • CVE-2026-35441
Published
2026-04-04T06:12:52Z
Modified
2026-04-04T06:18:57.839003Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Directus: GraphQL Alias Amplification Denial of Service Due to Missing Query Cost/Complexity Limits
Details

Summary

Directus' GraphQL endpoints (/graphql and /graphql/system) did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive relational query many times in a single request, forcing the server to execute a large number of independent complex database queries concurrently, multiplying database load linearly with the number of aliases. The existing token limit on GraphQL queries still permitted enough aliases for significant resource exhaustion, while the relational depth limit applied per alias without reducing the total number executed. Rate limiting is disabled by default, meaning no built-in throttle prevented this from causing CPU, memory, and I/O exhaustion that could degrade or crash the service. Any authenticated user, including those with minimal read-only permissions, could trigger this condition.

Fix

A request-scoped resolver deduplication mechanism was introduced and applied broadly across all GraphQL read resolvers, both system and items endpoints. When multiple aliases in a single request invoke the same resolver with identical arguments, only the first call executes; all subsequent aliases share its result. This eliminates the amplification factor regardless of how many aliases a query contains.

Impact

  • Service degradation or outage: Concurrent complex database queries exhaust the connection pool and server resources, affecting all users
  • Low privilege required: Any authenticated user, including those with read-only access to a single collection, can trigger this condition
  • Linear scaling: Impact scales with the number of aliases and depth of relational queries
  • Compounded by concurrency: Multiple simultaneous requests multiply the effect further
Database specific 
{
    "cwe_ids": [
        "CWE-400",
        "CWE-770"
    ],
    "severity": "MODERATE",
    "nvd_published_at": null,
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-04T06:12:52Z"
}
References

Affected packages

npm / directus

Package

Name
directus
View open source insights on deps.dev
Purl
pkg:npm/directus

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
11.17.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-ph52-67fq-75wj/GHSA-ph52-67fq-75wj.json"