{"id":"CVE-2024-46990","summary":"SSRF Loopback IP filter bypass in directus","details":"Directus is a real-time API and App dashboard for managing SQL database content. When relying on blocking access to localhost using the default `0.0.0.0` filter a user may bypass this block by using other registered loopback devices (like `127.0.0.2` - `127.127.127.127`). This issue has been addressed in release versions 10.13.3 and 11.1.0. Users are advised to upgrade. Users unable to upgrade may block this bypass by manually adding the `127.0.0.0/8` CIDR range which will block access to any `127.X.X.X` ip instead of just `127.0.0.1`.","aliases":["GHSA-68g8-c275-xf2m"],"modified":"2026-04-10T04:14:11.170925Z","published":"2024-09-18T16:55:24.255Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-284"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/46xxx/CVE-2024-46990.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/46xxx/CVE-2024-46990.json"},{"type":"ADVISORY","url":"https://github.com/directus/directus/security/advisories/GHSA-68g8-c275-xf2m"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-46990"},{"type":"FIX","url":"https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b"},{"type":"FIX","url":"https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52"},{"type":"FIX","url":"https://github.com/directus/directus/commit/8cbf943b65fd4a763d09a5fdbba8996b1e7797ff"},{"type":"FIX","url":"https://github.com/directus/directus/commit/c1f3ccc681595038d094ce110ddeee38cb38f431"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/directus/directus","events":[{"introduced":"2b02764ac8a4aac3df7764ca935ad7f9e48581b7"},{"fixed":"1b1ab7713e543d491a8320fd2e337e96134df2dd"}]}],"versions":["v11.0.0","v11.0.1","v11.0.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-46990.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"}]}