CVE-2024-39895

CVE-2024-39895 is a medium-severity vulnerability in Monospace Directus with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-400.

Key facts

Description

Directus is a real-time API and App dashboard for managing SQL database content. A denial of service (DoS) attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple times in a single query. This can cause the server to perform redundant computations and consume excessive resources, leading to a denial of service for legitimate users. Request to the endpoint /graphql are sent when visualizing graphs generated at a dashboard. By modifying the data sent and duplicating many times the fields a DoS attack is possible. This vulnerability is fixed in 10.12.0.

Frequently asked questions

What is CVE-2024-39895?
Directus is a real-time API and App dashboard for managing SQL database content. A denial of service (DoS) attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple times in a single query. This can cause the server to perform redundant computations and consume excessive resources, leading to a denial of service for legitimate users. Request to the endpoint /graphql are sent when visualizing graphs generated at a dashboard. By modifying the data sent and duplicating many times the fields a DoS attack is possible. This vulnerability is fixed in 10.12.0.
How severe is CVE-2024-39895?
CVE-2024-39895 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
Is CVE-2024-39895 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (52nd percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2024-39895?
CVE-2024-39895 affects Monospace Directus. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2024-39895?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2024-39895 have an EU (EUVD) identifier?
Yes. CVE-2024-39895 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-2287.
When was CVE-2024-39895 published?
CVE-2024-39895 was published on 2024-07-08 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Monospace Directus

All CVEs affecting Monospace Directus →

Other CWE-400 (Uncontrolled Resource Consumption) vulnerabilities

Browse all CWE-400 (Uncontrolled Resource Consumption) vulnerabilities →