CVE-2025-30351 is a security vulnerability identified in the Directus platform, a real-time API and application dashboard used for managing SQL database content. The vulnerability affects Directus versions starting from 10.10.0 up to, but not including, 11.5.0. The core issue lies in the session authentication mechanism, specifically within the `verifySessionJWT` function. When a user is suspended in the system, their session token, which was generated during an active session, remains valid and can still be used to access the API. This occurs because the system fails to verify the current active status of the user during token validation. Consequently, a suspended user can continue to interact with the API until the token naturally expires. This is a classic example of a CWE-672 weakness, where operations are performed on resources after they have been logically expired or released, leading to unauthorized access. The vulnerability requires that the attacker has already authenticated and obtained a valid session token before suspension, and user interaction is necessary to exploit it. The CVSS v3.1 score is 3.5, indicating a low severity primarily due to the limited scope and conditions required for exploitation. The vulnerability does not affect confidentiality or availability significantly, as it only allows continued access for suspended users, not privilege escalation or data modification. The issue is resolved in Directus version 11.5.0, where the session verification process includes a check to confirm the user’s active status before granting API access.

For European organizations using Directus within the affected version range, this vulnerability could lead to unauthorized API access by users who have been suspended, potentially violating internal access control policies. While the impact on confidentiality and integrity is limited, the continued access could allow suspended users to view sensitive data or perform read operations that should have been revoked. This could result in compliance issues, especially under GDPR, where strict access controls and data protection are mandated. Additionally, organizations relying on Directus for critical data management might face operational risks if suspended users retain access longer than intended. The low CVSS score reflects the limited severity, but the risk is non-negligible in environments with strict user lifecycle management and regulatory compliance requirements. Since no known exploits are reported in the wild, the immediate threat level is low, but the vulnerability should be addressed promptly to prevent potential misuse.

European organizations should upgrade Directus to version 11.5.0 or later, where the vulnerability is patched by adding a verification step to ensure users are active before allowing API access. Until the upgrade can be performed, organizations should implement compensating controls such as: 1) Immediately invalidating all active session tokens for users upon suspension, if supported by the platform or via custom scripting; 2) Monitoring API access logs for unusual activity from suspended accounts; 3) Reducing token lifetime to minimize the window of exposure; 4) Enforcing stricter session management policies, including manual token revocation; 5) Restricting API access through network-level controls or API gateways that can enforce additional authentication checks. Regular audits of user status and session validity should be conducted to ensure suspended users do not retain access. Finally, organizations should review their incident response plans to include scenarios involving session token misuse.