CVE-2024-39895: 
JavaScript vulnerability analysis and mitigation

A denial of service (DoS) vulnerability (CVE-2024-39895) was discovered in Directus, a real-time API and App dashboard for managing SQL database content. The vulnerability affects versions prior to 10.12.0 and involves field duplication in GraphQL queries. The issue was disclosed on July 8, 2024, and has been assigned a CVSS v3.1 base score of 6.5 (Medium) (GitHub Advisory, NVD).

The vulnerability exploits the flexibility of GraphQL by allowing attackers to request the same field multiple times in a single query to the /graphql endpoint. When visualizing graphs generated at a dashboard, an attacker can modify the data sent and duplicate fields numerous times, causing the server to perform redundant computations and consume excessive resources. The vulnerability has been assigned CWE-400 (Uncontrolled Resource Consumption) and requires low attack complexity with network vector access (GitHub Advisory).

When exploited, this vulnerability can cause the Directus service to become unresponsive for several minutes. An attacker could potentially send continuous requests to the server, leading to indefinite service unavailability. The attack specifically impacts system availability while maintaining no effect on confidentiality or integrity (GitHub Advisory).

The vulnerability has been fixed in Directus version 10.12.0. The fix includes the addition of a configurable max token limit for GraphQL queries through the 'GRAPHQLQUERYTOKEN_LIMIT' parameter, which defaults to 5000 tokens (GitHub Commit).