close search bar

Sorry, not available in this language yet

close language selection

CyRC Vulnerability Advisory: Stored XSS in Directus

David Johansson

Apr 11, 2022 / 1 min read


Synopsys Cybersecurity Research Center (CyRC) research has identified a stored cross-site scripting (XSS) vulnerability in Directus, a popular open source headless content management system (CMS) built in JavaScript. Directus App is a web-based admin application that allows users to view and manage content and collections.

The issue found in the Directus App is

  • CVE-2022-24814: Stored XSS in file upload of Directus

Note: A similar issue was previously reported in CVE-2022-22116 and CVE-2022-22117; however, the mitigation implemented for these issues in Directus 9.4.2 is not effective and can be bypassed.

Affected software

  • Directus v9.6.0 and earlier


An authenticated user with access to Directus can abuse the file upload functionality to create a stored XSS attack that is automatically executed when other users view certain collections or files within Directus. In a worst-case scenario, this could lead to the compromise of an admin account and give the attacker full access to all data and settings within Directus.

CVSS 3.1 base score: 5.4 (Medium)
CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C


Upgrade to Directus v9.7.0 or later. See release notes for latest version available (

Discovery credit

As the researcher who discovered the vulnerability, I would like to commend the Directus team for their responsiveness and for addressing this vulnerability in a timely matter.


  • January 28, 2022: Initial disclosure
  • March 7, 2022: Directus security team confirms the vulnerability and their intent to patch it
  • March 18, 2022: Directus v9.7.0 is released with a fix for CVE-2022-24814
  • April 11, 2022: Advisory published by Synopsys

Subscribe to the blog for the latest AppSec news

Continue Reading

Explore Topics