GHSA-3573-4C68-G8CC
6.10.12%
Return to Sender: Weaponizing SAML RelayState in Directus
Amit Schendel
Senior Security ResearcherJan 6, 2026·6 min read·9 visits
PoC Available
Executive Summary (TL;DR)
Directus failed to validate the `RelayState` parameter in its SAML driver during the authentication callback. While it checked redirect URLs at the start of a login attempt, it blindly trusted the state returned by the Identity Provider. This allows attackers to craft login links that, upon successful authentication, immediately bounce users to malicious domains—a perfect setup for high-credibility phishing campaigns.
A deep dive into an Open Redirect vulnerability within Directus's SAML authentication driver, allowing attackers to hijack post-login flows via unvalidated RelayState parameters.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
6.1/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NEPSS Probability
0.12%
Top 99% most exploited
Affected Systems
Directus CMS (@directus/api)SAML Authentication Driver
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
@directus/api Directus | < Dec 9 2025 (Commit dad9576) | Post-Dec 9 2025 Release |
| Attribute | Detail |
|---|---|
| Vulnerability Type | Open Redirect |
| CWE ID | CWE-601 |
| Affected Component | api/src/auth/drivers/saml.ts |
| Attack Vector | Network (Web) |
| CVSS (Estimated) | 6.1 (Medium) |
| Patch Date | 2025-12-09 |
MITRE ATT&CK Mapping
CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
The software redirects the user to a destination that is not part of the site's domain or an allowed list, which can assist in phishing attacks.
Known Exploits & Detection
Vulnerability Timeline
Fix Committed to Master
2025-12-09