📄 Description (English)
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content while manipulating metadata fields such as uploaded_by to obscure the tampering. This vulnerability is fixed in 11.17.0.
🤖 AI Executive Summary
Directus versions prior to 11.17.0 contain a critical file overwrite vulnerability in the PATCH /files/{id} endpoint that allows authenticated attackers to overwrite arbitrary files and manipulate metadata to conceal tampering. This vulnerability poses significant risk to organizations using Directus for content management, particularly those managing sensitive business data. The lack of proper input validation on the filename_disk parameter enables privilege escalation and data integrity attacks.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 24, 2026 03:31
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations in government, banking, and healthcare sectors using Directus for content management systems face significant risk. Government agencies (NCA, CITC) managing citizen data, SAMA-regulated financial institutions storing transaction records, and healthcare providers (MOH, private hospitals) managing patient information are particularly vulnerable. Energy sector organizations and telecommunications companies (STC, Mobily) using Directus for internal content management could experience data tampering and compliance violations. The ability to manipulate uploaded_by metadata creates audit trail corruption, directly impacting compliance with NCA ECC 2024 and SAMA CSF requirements.
🏢 Affected Saudi Sectors
Government (NCA, CITC, Ministry of Interior)
Banking and Financial Services (SAMA-regulated institutions)
Healthcare (MOH, private hospitals)
Energy (ARAMCO, utilities)
Telecommunications (STC, Mobily, Zain)
Education (universities, research institutions)
Media and Publishing
🎯 MITRE ATT&CK Techniques
T1190 - Exploit Public-Facing Application
T1199 - Trusted Relationship
T1565.001 - Data Destruction: Stored Data Manipulation
T1565.002 - Data Destruction: Transmitted Data Manipulation
T1578 - Modify Cloud Compute Infrastructure
T1485 - Data Destruction
T1491.001 - Defacement: Internal Defacement
T1070.001 - Indicator Removal: Clear Logs
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all Directus instances in your environment and document their versions
2. Restrict access to PATCH /files/{id} endpoint to only trusted administrators
3. Implement network-level access controls limiting file upload/modification endpoints
4. Enable comprehensive audit logging for all file operations with immutable logs
PATCHING GUIDANCE:
1. Upgrade Directus to version 11.17.0 or later immediately
2. If immediate patching is not possible, disable the PATCH /files/{id} endpoint entirely
3. Test patches in non-production environments before deployment
COMPENSATING CONTROLS:
1. Implement file integrity monitoring (FIM) on storage directories to detect unauthorized modifications
2. Deploy Web Application Firewall (WAF) rules to block PATCH requests with suspicious filename_disk parameters
3. Enforce strict input validation: whitelist allowed characters in filename_disk parameter
4. Implement role-based access control (RBAC) limiting file modification to essential personnel
5. Enable version control/snapshots for critical files to enable recovery
DETECTION RULES:
1. Monitor for PATCH /files/{id} requests with filename_disk parameters containing path traversal sequences (../, ..\)
2. Alert on file modification events where uploaded_by metadata differs from authenticated user
3. Track rapid successive file modifications from single user account
4. Monitor for modifications to files outside expected storage directories
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع مثيلات Directus في بيئتك وقثق إصداراتها
2. قيد الوصول إلى نقطة نهاية PATCH /files/{id} للمسؤولين الموثوقين فقط
3. طبق عناصر تحكم الوصول على مستوى الشبكة لتحديد نقاط نهاية تحميل/تعديل الملفات
4. فعّل تسجيل التدقيق الشامل لجميع عمليات الملفات مع السجلات غير القابلة للتغيير
إرشادات التصحيح:
1. قم بترقية Directus إلى الإصدار 11.17.0 أو أحدث على الفور
2. إذا لم يكن التصحيح الفوري ممكناً، عطّل نقطة نهاية PATCH /files/{id} بالكامل
3. اختبر التصحيحات في بيئات غير الإنتاج قبل النشر
عناصر التحكم البديلة:
1. طبق مراقبة سلامة الملفات (FIM) على دلائل التخزين للكشف عن التعديلات غير المصرح بها
2. نشّر قواعد جدار حماية تطبيقات الويب (WAF) لحجب طلبات PATCH ذات معاملات filename_disk المريبة
3. فرض التحقق الصارم من المدخلات: قائمة بيضاء للأحرف المسموحة في معامل filename_disk
4. طبق التحكم في الوصول القائم على الأدوار (RBAC) لتحديد تعديل الملفات للموظفين الأساسيين
5. فعّل التحكم في الإصدارات/اللقطات للملفات الحرجة لتمكين الاسترجاع
قواعد الكشف:
1. راقب طلبات PATCH /files/{id} مع معاملات filename_disk تحتوي على تسلسلات اجتياز المسار (../, ..\)
2. أصدر تنبيهات عند تعديل الملفات حيث تختلف بيانات uploaded_by الوصفية عن المستخدم المصرح
3. تتبع تعديلات الملفات المتتالية السريعة من حساب مستخدم واحد
4. راقب التعديلات على الملفات خارج دلائل التخزين المتوقعة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies (file integrity and access control)
A.6.1.1 - Internal Organization (segregation of duties for file management)
A.8.1.1 - Asset Management (protection of information assets)
A.12.4.1 - Logging (audit trails for file modifications)
A.14.2.1 - Secure Development (input validation requirements)
🔵 SAMA CSF
ID.AM-2 - Asset Management (inventory of Directus instances)
PR.AC-1 - Access Control (RBAC for file operations)
PR.DS-1 - Data Security (file integrity protection)
DE.AE-1 - Anomalies and Events (detection of unauthorized modifications)
RS.RP-1 - Response Planning (incident response for file tampering)
🟡 ISO 27001:2022
A.5.1.1 - Information security policies
A.6.1.1 - Organization of information security
A.8.1.1 - Asset management
A.8.2.3 - Acceptable use of assets
A.12.4.1 - Event logging
A.14.2.1 - Secure development policy
🟣 PCI DSS v4.0.1
Requirement 1.1 - Firewall configuration standards
Requirement 2.2.4 - Configure system security parameters
Requirement 6.5.1 - Injection flaws prevention
Requirement 10.2 - Implement automated audit trails
📦 Affected Products / CPE 1 entries
monospace:directus