npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

directus-security

v0.1.0

Published

Audit any Directus instance for public-role data exposure, user enumeration, unauthenticated version/schema leaks and GraphQL introspection — and PROVE each leak live with an anonymous probe. No admin token needed for the keyless scan.

Readme

directus-security

Audit any Directus instance for the misconfigurations that actually leak data — public-role read exposure, user enumeration, unauthenticated version/schema leaks, GraphQL introspection, and the search-param field-enumeration oracle — and prove each one live with an anonymous probe. Other checklists tell you what might be wrong; this fetches the bytes and shows you what is.

Run it in one line, no admin token, no install:

npx directus-security --url https://your-directus.example.com

🤝 Want it done for you? Fixed-scope audit — $99 / 24h: I verify each finding live and send a written report with the exact policy fixes.

npm downloads license node deps

$ npx directus-security --url https://directus.example.com
1 critical, 2 high, 1 medium — 4 CONFIRMED via anonymous probe
  CRITICAL  /items/posts            public-role read enabled — rows reachable anonymously
  HIGH      /items/posts?search=…   search-param field enumeration (CVE-2025-30352 class)
  HIGH      /items/directus_users   user list exposed (name + email)
  MEDIUM    /server/specs/oas       Directus version leaked unauthenticated (CVE-2025-53887 class)

Why this exists

Directus powers headless backends at Tripadvisor, Adobe and Mercedes, and the default access model makes one mistake very easy: leaving read enabled for the Public policy. The result is an API anyone can read. 2025 brought a cluster of unauthenticated CVEs that map exactly to anonymous probes:

  • CVE-2025-30352 — the search query parameter enumerates non-permitted fields, leaking emails and password hashes one character at a time.
  • CVE-2025-53887 — the Directus version is exposed unauthenticated via /server/specs/oas, letting attackers match your build to known exploits.
  • CVE-2025-64749 — collection-existence leak via error-message diffing.
  • CVE-2025-53889 — unauthenticated Flow trigger.

directus-security checks for these and confirms the real ones by issuing the exact anonymous request an attacker would — so you triage facts, not maybes.

What it checks

| Check | Severity | How it's confirmed | |---|---|---| | Public-role read on a collection | critical | anonymous GET /items/{collection} returns rows | | search-param field enumeration | high | anonymous GET /items/{collection}?search=… answers (CVE-2025-30352 class) | | /items/directus_users user enumeration | high | anonymous read returns the user list (name + email) | | Unauthenticated version/schema leak | medium | /server/info or /server/specs/oas returns the version unauth (CVE-2025-53887 class) | | GraphQL introspection in prod | medium | __schema query answered on /graphql or /graphql/system |

Usage

# Probe a live instance (guesses common collection names)
npx directus-security --url https://directus.example.com

# Probe specific collections
npx directus-security --url https://directus.example.com --collections posts,authors

# Learn your exact collection names from a Directus schema snapshot, then probe
npx directus-security --url https://directus.example.com --snapshot ./snapshot.json

# Write a shareable HTML report
npx directus-security --url https://directus.example.com --html report.html

# Static only (no requests sent)
npx directus-security --url https://directus.example.com --no-probe

Output is JSON on stdout (pipe it into CI) and a one-line summary on stderr. Exit is non-zero only on usage errors — gate your pipeline on the JSON summary.

Install (optional)

npm i -g directus-security
directus-security --url https://directus.example.com

Zero dependencies. Your data and credentials never leave your machine — every request goes straight from the tool to your Directus instance.

Sister tools

Same active-probe philosophy for the rest of the backend stack, all MIT:

strapi-security · supabase-security · pocketbase-security · firebase-security · appwrite-security · nhost-security

License

MIT © Renzo Madueno