CVE-2025-30225: 
JavaScript vulnerability analysis and mitigation

Directus, a real-time API and App dashboard for managing SQL database content, has been identified with a vulnerability in its @directus/storage-driver-s3 package (versions 9.22.0 to 12.0.1) and Directus core (versions 9.22.0 to 11.5.0). The vulnerability was disclosed on March 26, 2025, and affects asset availability when processing malformed transformations (GitHub Advisory, NVD).

The vulnerability is characterized by asset unavailability that occurs after a burst of malformed transformation requests. When multiple malformed transformation requests are made simultaneously, all assets begin to be served with 403 errors. This is due to the number of sockets held on Agent on NodeHttpHandler reaching STORAGE_CLOUD_MAX_SOCKETS, preventing new connections. The issue stems from unconsumed streams in AWS SDK when invalid transformation arguments are provided (GitHub Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD).

The vulnerability results in a denial of assets affecting all policies of Directus, including both Admin and Public access levels. This means that legitimate users cannot access any assets stored in the system after the vulnerability is triggered (GitHub Advisory).

The vulnerability has been fixed in version 12.0.1 of the @directus/storage-driver-s3 package, corresponding to version 11.5.0 of Directus. Users are advised to upgrade to these versions or later to address the vulnerability (NVD).