Search criteria
123 vulnerabilities found for directus by monospace
FKIE_CVE-2025-64749
Vulnerability from fkie_nvd - Published: 2025-11-13 22:15 - Updated: 2025-12-08 15:02
Severity ?
Summary
Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for two cases: when a user tries to access an existing collection which they are not authorized to access, and when user tries to access a non-existing collection. The two differing error messages leak the existence of collections to users which are not authorized to access these collections. Version 11.13.0 fixes the issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "19DDC40E-F676-4824-A433-37CFBEDFEBDB",
"versionEndExcluding": "11.13.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for two cases: when a user tries to access an existing collection which they are not authorized to access, and when user tries to access a non-existing collection. The two differing error messages leak the existence of collections to users which are not authorized to access these collections. Version 11.13.0 fixes the issue."
}
],
"id": "CVE-2025-64749",
"lastModified": "2025-12-08T15:02:34.437",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-11-13T22:15:52.390",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/directus/directus/commit/f99c9b89071f9d136cc9b0d0c182f2d24542bc31"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-cph6-524f-3hgr"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-203"
},
{
"lang": "en",
"value": "CWE-209"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-64747
Vulnerability from fkie_nvd - Published: 2025-11-13 22:15 - Updated: 2025-11-19 14:49
Severity ?
Summary
Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 11.13.0 that allows users with `upload files` and `edit item` permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by combining file uploads with iframe srcdoc attributes, resulting in persistent XSS execution. Version 11.13.0 fixes the issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "19DDC40E-F676-4824-A433-37CFBEDFEBDB",
"versionEndExcluding": "11.13.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 11.13.0 that allows users with `upload files` and `edit item` permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by combining file uploads with iframe srcdoc attributes, resulting in persistent XSS execution. Version 11.13.0 fixes the issue."
}
],
"id": "CVE-2025-64747",
"lastModified": "2025-11-19T14:49:11.913",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 3.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-11-13T22:15:52.000",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/directus/directus/commit/d23525317f0780f04aa1fe7a99171a358e43cb2e"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-vv2v-pw69-8crf"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
},
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-64748
Vulnerability from fkie_nvd - Published: 2025-11-13 22:15 - Updated: 2025-12-08 15:00
Severity ?
Summary
Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data. Version 11.13.0 fixes the issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "19DDC40E-F676-4824-A433-37CFBEDFEBDB",
"versionEndExcluding": "11.13.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data. Version 11.13.0 fixes the issue."
}
],
"id": "CVE-2025-64748",
"lastModified": "2025-12-08T15:00:53.110",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-11-13T22:15:52.183",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/directus/directus/commit/7737d56e096f95edfbdf861a3c08999ad31ce204"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-8jpw-gpr4-8cmh"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-201"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-64746
Vulnerability from fkie_nvd - Published: 2025-11-13 21:15 - Updated: 2025-12-08 14:58
Severity ?
4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Summary
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table remains intact. This stale reference creates a security gap: if another field is later created using the same name, it inherits the outdated permission entry. This behavior can unintentionally grant roles access to data they should not be able to read or modify. The issue is particularly risky in multi-tenant or production environments, where administrators may reuse field names, assuming old permissions have been fully cleared. Version 11.13.0 fixes the issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "19DDC40E-F676-4824-A433-37CFBEDFEBDB",
"versionEndExcluding": "11.13.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table remains intact. This stale reference creates a security gap: if another field is later created using the same name, it inherits the outdated permission entry. This behavior can unintentionally grant roles access to data they should not be able to read or modify. The issue is particularly risky in multi-tenant or production environments, where administrators may reuse field names, assuming old permissions have been fully cleared. Version 11.13.0 fixes the issue."
}
],
"id": "CVE-2025-64746",
"lastModified": "2025-12-08T14:58:27.827",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-11-13T21:15:54.407",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/directus/directus/commit/84d7636969083387164ce5d2fd15a65e11e2d0b8"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-9x5g-62gj-wqf2"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
},
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2025-53885
Vulnerability from fkie_nvd - Published: 2025-07-15 00:15 - Updated: 2025-07-16 14:18
Severity ?
Summary
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the "Log to Console" operation and a template string. Malicious admins can log sensitive data from other users when they are created or updated. Version 11.9.0 contains a fix for the issue. As a workaround, avoid logging sensitive data to the console outside the context of development.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "F31E6F8B-BDA5-440E-AD39-A3EC8795C7E1",
"versionEndExcluding": "11.9.0",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the \"Log to Console\" operation and a template string. Malicious admins can log sensitive data from other users when they are created or updated. Version 11.9.0 contains a fix for the issue. As a workaround, avoid logging sensitive data to the console outside the context of development."
},
{
"lang": "es",
"value": "Directus es una API en tiempo real y un panel de control para aplicaciones que permite gestionar el contenido de bases de datos SQL. A partir de la versi\u00f3n 9.0.0 y anteriores a la 11.9.0, al usar flujos de Directus para gestionar eventos CRUD de los usuarios, es posible registrar los datos entrantes en la consola mediante la operaci\u00f3n \"Registrar en consola\" y una cadena de plantilla. Administradores malintencionados pueden registrar datos confidenciales de otros usuarios al crearlos o actualizarlos. La versi\u00f3n 11.9.0 incluye una soluci\u00f3n para este problema. Como soluci\u00f3n alternativa, evite registrar datos confidenciales en la consola fuera del contexto del desarrollo."
}
],
"id": "CVE-2025-53885",
"lastModified": "2025-07-16T14:18:18.337",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.6,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-07-15T00:15:23.533",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/directus/directus/commit/859f664f56fb50401c407b095889cea38ff580e5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/directus/directus/pull/25355"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/directus/directus/releases/tag/v11.9.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-x3vm-88hf-gpxp"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-532"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-53889
Vulnerability from fkie_nvd - Published: 2025-07-15 00:15 - Updated: 2025-07-16 14:20
Severity ?
Summary
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what the Flow is set up to do this can lead to the Flow executing potential tasks on the attacker's behalf without authenticating. Bad actors could execute the manual trigger Flows without authentication, or access rights to the said collection(s) or item(s). Users with manual trigger Flows configured are impacted as these endpoints do not currently validate if the user has read access to `directus_flows` or to the relevant collection/items. The manual trigger Flows should have tighter security requirements as compared to webhook Flows where users are expected to perform do their own checks. Version 11.9.0 fixes the issue. As a workaround, implement permission checks for read access to Flows and read access to relevant collection/items.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "867FB238-39A1-43B8-8ADE-39C1E0CDC390",
"versionEndExcluding": "11.9.0",
"versionStartIncluding": "9.12.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what the Flow is set up to do this can lead to the Flow executing potential tasks on the attacker\u0027s behalf without authenticating. Bad actors could execute the manual trigger Flows without authentication, or access rights to the said collection(s) or item(s). Users with manual trigger Flows configured are impacted as these endpoints do not currently validate if the user has read access to `directus_flows` or to the relevant collection/items. The manual trigger Flows should have tighter security requirements as compared to webhook Flows where users are expected to perform do their own checks. Version 11.9.0 fixes the issue. As a workaround, implement permission checks for read access to Flows and read access to relevant collection/items."
},
{
"lang": "es",
"value": "Directus es una API en tiempo real y un panel de control de aplicaciones para gestionar el contenido de bases de datos SQL. A partir de la versi\u00f3n 9.12.0 y anteriores a la 11.9.0, los flujos de Directus con un disparador manual no validan si el usuario que los activa tiene permisos sobre los elementos proporcionados como payload. Dependiendo de la configuraci\u00f3n del flujo, esto puede provocar que ejecute tareas en nombre del atacante sin autenticarse. Los atacantes podr\u00edan ejecutar los flujos de activaci\u00f3n manual sin autenticaci\u00f3n ni derechos de acceso a dichas colecciones o elementos. Los usuarios con flujos de activaci\u00f3n manual configurados se ven afectados, ya que estos endpoints no validan actualmente si el usuario tiene acceso de lectura a `directus_flows` o a la colecci\u00f3n o los elementos relevantes. Los flujos de activaci\u00f3n manual deber\u00edan tener requisitos de seguridad m\u00e1s estrictos que los flujos de webhook, donde se espera que los usuarios realicen sus propias comprobaciones. La versi\u00f3n 11.9.0 soluciona el problema. Como soluci\u00f3n alternativa, implemente comprobaciones de permisos para el acceso de lectura a los flujos y el acceso de lectura a la colecci\u00f3n o los elementos relevantes."
}
],
"id": "CVE-2025-53889",
"lastModified": "2025-07-16T14:20:25.787",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-07-15T00:15:23.997",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb083fb"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/directus/directus/releases/tag/v11.9.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-7cvf-pxgp-42fc"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-53887
Vulnerability from fkie_nvd - Published: 2025-07-15 00:15 - Updated: 2025-07-16 14:19
Severity ?
Summary
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, the exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the `/server/specs/oas` endpoint without authentication. With the exact version information a malicious attacker can look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version. Version 11.9.0 fixes the issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "F31E6F8B-BDA5-440E-AD39-A3EC8795C7E1",
"versionEndExcluding": "11.9.0",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, the exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the `/server/specs/oas` endpoint without authentication. With the exact version information a malicious attacker can look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version. Version 11.9.0 fixes the issue."
},
{
"lang": "es",
"value": "Directus es una API en tiempo real y un panel de control de aplicaciones para gestionar el contenido de bases de datos SQL. A partir de la versi\u00f3n 9.0.0 y anteriores a la 11.9.0, el n\u00famero de versi\u00f3n exacto de Directus se utiliza incorrectamente como versi\u00f3n de OpenAPI Spec, lo que significa que el endpoint `/server/specs/oas` lo expone sin autenticaci\u00f3n. Con la informaci\u00f3n exacta de la versi\u00f3n, un atacante malicioso puede buscar vulnerabilidades conocidas en el n\u00facleo de Directus o en cualquiera de sus dependencias incluidas en esa versi\u00f3n espec\u00edfica. La versi\u00f3n 11.9.0 soluciona este problema."
}
],
"id": "CVE-2025-53887",
"lastModified": "2025-07-16T14:19:39.037",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-07-15T00:15:23.847",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/directus/directus/commit/e74f3e4e92edc33b5f83eefb001a3d2a85af17a3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/directus/directus/pull/25353"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/directus/directus/releases/tag/v11.9.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-rmjh-cf9q-pv7q"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-53886
Vulnerability from fkie_nvd - Published: 2025-07-15 00:15 - Updated: 2025-07-16 14:19
Severity ?
Summary
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming request details are logged including security sensitive data like access and refresh tokens in cookies. Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them triggering the Flow. Version 11.9.0 fixes the issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "F31E6F8B-BDA5-440E-AD39-A3EC8795C7E1",
"versionEndExcluding": "11.9.0",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming request details are logged including security sensitive data like access and refresh tokens in cookies. Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them triggering the Flow. Version 11.9.0 fixes the issue."
},
{
"lang": "es",
"value": "Directus es una API en tiempo real y un panel de control de aplicaciones para gestionar el contenido de bases de datos SQL. A partir de la versi\u00f3n 9.0.0 y anteriores a la 11.9.0, al usar flujos de Directus con el disparador de webhook, se registran todos los detalles de las solicitudes entrantes, incluyendo datos confidenciales como los tokens de acceso y actualizaci\u00f3n en las cookies. Administradores malintencionados con acceso a los registros pueden secuestrar las sesiones de usuario antes de que caduque el token al activar el flujo. La versi\u00f3n 11.9.0 soluciona este problema."
}
],
"id": "CVE-2025-53886",
"lastModified": "2025-07-16T14:19:03.560",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-07-15T00:15:23.690",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb083fb"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/directus/directus/pull/25354"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/directus/directus/releases/tag/v11.9.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-f24x-rm6g-3w5v"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
},
{
"lang": "en",
"value": "CWE-212"
},
{
"lang": "en",
"value": "CWE-532"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-30352
Vulnerability from fkie_nvd - Published: 2025-03-26 18:15 - Updated: 2025-08-26 01:41
Severity ?
Summary
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0-alpha.4 and prior to version 11.5.0, the `search` query parameter allows users with access to a collection to filter items based on fields they do not have permission to view. This allows the enumeration of unknown field contents. The searchable columns (numbers & strings) are not checked against permissions when injecting the `where` clauses for applying the search query. This leads to the possibility of enumerating those un-permitted fields. Version 11.5.0 fixes the issue.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "A325DF47-2060-4AB3-B23A-3E49FB326B99",
"versionEndExcluding": "11.5.0",
"versionStartIncluding": "9.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha10:*:*:*:node.js:*:*",
"matchCriteriaId": "57E957B1-893E-433F-87F0-578F79A0588C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha11:*:*:*:node.js:*:*",
"matchCriteriaId": "DACEC925-A059-41FE-AC2B-801BFF3934CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha12:*:*:*:node.js:*:*",
"matchCriteriaId": "406882F6-A01E-4648-A32A-1C8868BBF22C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha13:*:*:*:node.js:*:*",
"matchCriteriaId": "05490D09-A45C-407C-A8EE-832694AD7BC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha14:*:*:*:node.js:*:*",
"matchCriteriaId": "DAAB7BAA-2678-40A6-A307-E770C7D1A39A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha15:*:*:*:node.js:*:*",
"matchCriteriaId": "C921077E-DF8F-4E5E-BE39-4F2514FF7965",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha16:*:*:*:node.js:*:*",
"matchCriteriaId": "A2454930-529A-40BD-8C78-9E7B50814A8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha17:*:*:*:node.js:*:*",
"matchCriteriaId": "1307B32A-12DC-43D7-9B92-AEB57E208FCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha18:*:*:*:node.js:*:*",
"matchCriteriaId": "0FF46870-7A9F-485F-82C4-28605C271A63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha19:*:*:*:node.js:*:*",
"matchCriteriaId": "81809A12-1D08-425C-A158-3EC277760915",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha20:*:*:*:node.js:*:*",
"matchCriteriaId": "A41BE61B-B73A-445D-9470-91F5C557FEDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha21:*:*:*:node.js:*:*",
"matchCriteriaId": "3119C562-9579-469A-A15D-34BC83742F32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha22:*:*:*:node.js:*:*",
"matchCriteriaId": "FDABCC24-0BAD-4273-9462-A86068FC69C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha23:*:*:*:node.js:*:*",
"matchCriteriaId": "02071B13-14CE-4F4A-BC7B-DDDAC9E55F8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha24:*:*:*:node.js:*:*",
"matchCriteriaId": "44BFEE06-A74F-44C3-BBC1-828BFBB011BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha25:*:*:*:node.js:*:*",
"matchCriteriaId": "38470832-C67F-4BC1-BC32-6CDD5803B665",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha26:*:*:*:node.js:*:*",
"matchCriteriaId": "7FBC0113-A30A-44EF-915B-1F1223DC22E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha27:*:*:*:node.js:*:*",
"matchCriteriaId": "2120E7BF-7560-4CDA-86EB-CC5B2A872F1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha31:*:*:*:node.js:*:*",
"matchCriteriaId": "06864B05-6E46-4F15-B75B-3F5A4A86AF72",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha32:*:*:*:node.js:*:*",
"matchCriteriaId": "A5EDDAA8-866A-428B-8071-6B4FE6DA146A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha33:*:*:*:node.js:*:*",
"matchCriteriaId": "65AD8FCD-9C99-4E73-86C6-6830757F00AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha34:*:*:*:node.js:*:*",
"matchCriteriaId": "1F8FDF4D-D4D3-463C-AF01-3D92B1402DFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha35:*:*:*:node.js:*:*",
"matchCriteriaId": "160C0A93-BD3F-403F-94FC-DFDAE5B45601",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha36:*:*:*:node.js:*:*",
"matchCriteriaId": "38F094AA-8531-4BE7-96B3-14B1B7BCDAA7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha37:*:*:*:node.js:*:*",
"matchCriteriaId": "774E7656-2420-4145-B7D5-1DFE219D0C73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha38:*:*:*:node.js:*:*",
"matchCriteriaId": "B8B2437D-0280-4E6A-B297-46FD4BFD335C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha39:*:*:*:node.js:*:*",
"matchCriteriaId": "0736A783-87F2-4492-938C-342731B63D0F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha4:*:*:*:node.js:*:*",
"matchCriteriaId": "971BC038-CF56-4E12-97C8-AC7F3C42F2FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha40:*:*:*:node.js:*:*",
"matchCriteriaId": "C8E325A8-0FA5-47EE-B277-85667E10AC6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha41:*:*:*:node.js:*:*",
"matchCriteriaId": "80245E5E-5BC9-48CB-B9F4-CDFEA644D344",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha42:*:*:*:node.js:*:*",
"matchCriteriaId": "D9D1733E-0AB2-49D5-9861-CF90DEF7D4DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha5:*:*:*:node.js:*:*",
"matchCriteriaId": "CE63E33F-F203-4C9F-87FE-7FDDA4AC1AA5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha6:*:*:*:node.js:*:*",
"matchCriteriaId": "4996A47D-58D2-45DB-AFB5-12878B302FA7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha7:*:*:*:node.js:*:*",
"matchCriteriaId": "0B677943-841D-4F89-BF8D-8BA6C34DF759",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha8:*:*:*:node.js:*:*",
"matchCriteriaId": "3B53EAED-F218-45A4-9457-B9D4BBA2D508",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:alpha9:*:*:*:node.js:*:*",
"matchCriteriaId": "7506F506-3826-4DA1-8ABD-1E5C06F01F8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:beta0:*:*:*:node.js:*:*",
"matchCriteriaId": "4D4F7DA2-0287-4CA0-B862-1AD63286BC22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:beta1:*:*:*:node.js:*:*",
"matchCriteriaId": "4FCB6396-1F7E-4F07-837B-C62F1394AD7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:beta10:*:*:*:node.js:*:*",
"matchCriteriaId": "ECC79DA9-EEFA-466E-839A-CEDA2301CBBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:beta11:*:*:*:node.js:*:*",
"matchCriteriaId": "CB7F184D-E022-4F6F-8E54-A16D3CC9C591",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:beta12:*:*:*:node.js:*:*",
"matchCriteriaId": "B73F733C-2125-4C0E-B18A-D48AE2EF2C68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:beta13:*:*:*:node.js:*:*",
"matchCriteriaId": "FD44AB56-F4DA-48C3-8F5B-E44DD2DB13D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:beta14:*:*:*:node.js:*:*",
"matchCriteriaId": "D96225EC-4251-4870-B030-4434C5BFCA75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:beta2:*:*:*:node.js:*:*",
"matchCriteriaId": "65918BFA-0DD1-4F1A-AB7E-FDFB7870C3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:beta3:*:*:*:node.js:*:*",
"matchCriteriaId": "E000D241-5083-4556-AFCB-06E5B8EC8492",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:beta4:*:*:*:node.js:*:*",
"matchCriteriaId": "50530CFF-9DA9-424B-BFE9-1B11D13A03C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:beta5:*:*:*:node.js:*:*",
"matchCriteriaId": "051BA743-AB9F-4A40-829B-5511222DB49A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:beta7:*:*:*:node.js:*:*",
"matchCriteriaId": "3ED84BB1-99C7-43CC-BF12-6678575128C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:beta8:*:*:*:node.js:*:*",
"matchCriteriaId": "2D5A5B7D-C2C2-412E-A1FA-86B9C8E89301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:beta9:*:*:*:node.js:*:*",
"matchCriteriaId": "50AFC47C-4278-440F-9760-7916F41F5CBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc0:*:*:*:node.js:*:*",
"matchCriteriaId": "79DF48A1-E6B7-4E79-BA98-BFC8D83988C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc1:*:*:*:node.js:*:*",
"matchCriteriaId": "ADC6B9DE-1F0E-4B4B-83C9-A33D7D00BF60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc10:*:*:*:node.js:*:*",
"matchCriteriaId": "E587B50F-C95F-404A-949D-6AA505D97D4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc100:*:*:*:node.js:*:*",
"matchCriteriaId": "F33CB7DE-A45C-4A4F-846E-5AA00915EAE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc101:*:*:*:node.js:*:*",
"matchCriteriaId": "ABBAA85D-8820-42DF-A092-3455F42CC54B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc11:*:*:*:node.js:*:*",
"matchCriteriaId": "857ED8BB-9AB7-4EE5-B7E3-B0739ABAC320",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc12:*:*:*:node.js:*:*",
"matchCriteriaId": "01020B23-511F-46AE-9377-DE98FF106955",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc13:*:*:*:node.js:*:*",
"matchCriteriaId": "BC8375B9-EBFE-43B3-B622-094934D2A3DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc14:*:*:*:node.js:*:*",
"matchCriteriaId": "0AE5CC78-5DD8-4EB0-93DC-A2259D1C233C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc15:*:*:*:node.js:*:*",
"matchCriteriaId": "2D6DEB65-65A3-42B3-AF4D-B5B0C2ECAFAB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc17:*:*:*:node.js:*:*",
"matchCriteriaId": "CB37DCD9-3174-4F38-A197-560461220A92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc18:*:*:*:node.js:*:*",
"matchCriteriaId": "90965BB7-2ADE-4CBB-84F9-F0769FD33E7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc19:*:*:*:node.js:*:*",
"matchCriteriaId": "58F83ADF-13B6-4C16-A446-95FFA2DDFAB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc2:*:*:*:node.js:*:*",
"matchCriteriaId": "018F0D61-1045-4668-97CB-1A6C78BF50DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc20:*:*:*:node.js:*:*",
"matchCriteriaId": "4D3F4961-6960-4F76-8860-0D0A90FDEBC2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc21:*:*:*:node.js:*:*",
"matchCriteriaId": "D61539A8-E63D-40F9-A71C-BEA16E320E1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc22:*:*:*:node.js:*:*",
"matchCriteriaId": "C0938C0A-902F-4111-B1A8-9E133C538B35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc23:*:*:*:node.js:*:*",
"matchCriteriaId": "F1E89060-50E6-4E9E-9B1E-7A99D583F9FE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc24:*:*:*:node.js:*:*",
"matchCriteriaId": "3F3BCC59-5FA3-44D7-95C6-53F87B95346F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc25:*:*:*:node.js:*:*",
"matchCriteriaId": "F76B2AD3-503A-492E-BD47-6C8EF4F03163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc26:*:*:*:node.js:*:*",
"matchCriteriaId": "845F2552-DA69-4C12-BA6E-74AFC85FF25E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc27:*:*:*:node.js:*:*",
"matchCriteriaId": "438648F2-5A4D-4BB6-B2E8-4FA14985E7D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc28:*:*:*:node.js:*:*",
"matchCriteriaId": "8B3E718B-D593-4305-B96B-6EFB2B1013FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc29:*:*:*:node.js:*:*",
"matchCriteriaId": "5A06E8BC-2666-44C9-9254-18C5D2EE30CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc3:*:*:*:node.js:*:*",
"matchCriteriaId": "7219A713-5E0F-43DD-805B-D320BE36970F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc30:*:*:*:node.js:*:*",
"matchCriteriaId": "D3189111-179B-4461-A923-232B526DAA91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc31:*:*:*:node.js:*:*",
"matchCriteriaId": "A47BA605-78FC-41CD-8144-1E9925EB9FA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc32:*:*:*:node.js:*:*",
"matchCriteriaId": "185165D0-1CBB-451F-B7B1-69F32C8890B4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc33:*:*:*:node.js:*:*",
"matchCriteriaId": "E5411DD0-02BF-4DEC-9F11-CBD64E5A5827",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc34:*:*:*:node.js:*:*",
"matchCriteriaId": "E7918F2B-7C73-4B5D-9182-7CC90EE45609",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc35:*:*:*:node.js:*:*",
"matchCriteriaId": "02AAD6F7-E04F-44DD-B9E9-ED2EAF877CB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc36:*:*:*:node.js:*:*",
"matchCriteriaId": "6B388B8A-9D60-4367-8BBA-B902E68DB06C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc37:*:*:*:node.js:*:*",
"matchCriteriaId": "457FC628-B2A6-48FB-846E-37241C286C8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc38:*:*:*:node.js:*:*",
"matchCriteriaId": "1AB9AE8A-5410-4F81-85F5-9634A5F09CA4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc39:*:*:*:node.js:*:*",
"matchCriteriaId": "E9D94B15-5E66-42F5-B977-5926AC78B3B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc4:*:*:*:node.js:*:*",
"matchCriteriaId": "C9D896EA-2FC1-46D9-A359-1765911911E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc40:*:*:*:node.js:*:*",
"matchCriteriaId": "47D34C99-94F0-4576-8323-829E9F947467",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc41:*:*:*:node.js:*:*",
"matchCriteriaId": "18B25751-F979-46A2-80A3-306AD24DB6E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc42:*:*:*:node.js:*:*",
"matchCriteriaId": "AD733506-5883-4659-AFDD-622BAAE6A268",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc43:*:*:*:node.js:*:*",
"matchCriteriaId": "67763EB8-CA42-4329-BED4-A5918672708B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc44:*:*:*:node.js:*:*",
"matchCriteriaId": "B3C51051-FAC5-465F-94F7-1ACE4AEC3CE6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc45:*:*:*:node.js:*:*",
"matchCriteriaId": "45181B19-7268-4A1A-B171-97ADBEA20B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc46:*:*:*:node.js:*:*",
"matchCriteriaId": "88D47305-5072-4558-BD08-7D9C1E8941EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc47:*:*:*:node.js:*:*",
"matchCriteriaId": "CBA492F0-0D20-4014-AAAE-F869676B10AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc48:*:*:*:node.js:*:*",
"matchCriteriaId": "D151C9A4-56A6-4DB0-AF16-0FC5F47B79A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc49:*:*:*:node.js:*:*",
"matchCriteriaId": "8DF1C900-D3BC-48EB-AACA-D4CD9141DC83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc5:*:*:*:node.js:*:*",
"matchCriteriaId": "905C3CB9-386E-4069-8024-78F754D4D68E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc50:*:*:*:node.js:*:*",
"matchCriteriaId": "63006537-E1EE-45B9-9D2A-472B18C7AC61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc51:*:*:*:node.js:*:*",
"matchCriteriaId": "994ADB6B-05BB-45AC-AA8E-B5E7F563CD73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc52:*:*:*:node.js:*:*",
"matchCriteriaId": "E281F85A-075C-4C7D-8161-71988D913645",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc53:*:*:*:node.js:*:*",
"matchCriteriaId": "AE9EB722-4D14-4195-931B-F43DCF02DD82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc54:*:*:*:node.js:*:*",
"matchCriteriaId": "2C107B59-6187-4751-A5D4-0E376BC8DD86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc55:*:*:*:node.js:*:*",
"matchCriteriaId": "68A5AC87-91F6-4AC6-B24A-FFEB1F5230F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc56:*:*:*:node.js:*:*",
"matchCriteriaId": "94147F63-BFA8-4E7F-A123-CADC0860787B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc57:*:*:*:node.js:*:*",
"matchCriteriaId": "DDBC68C4-5989-4360-A271-99C453A5F89C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc58:*:*:*:node.js:*:*",
"matchCriteriaId": "C3527E35-25E2-4FC0-9F2C-1391A7970F2B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc59:*:*:*:node.js:*:*",
"matchCriteriaId": "BF6DC07D-A6C3-4E83-AA85-2D6681435000",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc6:*:*:*:node.js:*:*",
"matchCriteriaId": "F3F09869-87E3-4800-A710-9C7941CDEFE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc60:*:*:*:node.js:*:*",
"matchCriteriaId": "C5B82980-7A69-41BD-B81F-388230F1F4AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc61:*:*:*:node.js:*:*",
"matchCriteriaId": "9B0105D6-6D65-4EA7-B578-D6FA47C0256F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc62:*:*:*:node.js:*:*",
"matchCriteriaId": "7C177176-589B-46FE-A7F9-52A252068700",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc63:*:*:*:node.js:*:*",
"matchCriteriaId": "6C9A5054-D29D-40C5-B9FA-8C8987815BC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc64:*:*:*:node.js:*:*",
"matchCriteriaId": "42EDA79D-0816-476C-B2B2-15E1D577B304",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc65:*:*:*:node.js:*:*",
"matchCriteriaId": "A3C73CFD-7D69-4B52-BE88-92BE5E95948E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc66:*:*:*:node.js:*:*",
"matchCriteriaId": "B4789366-7B3A-4719-8633-7CD77231AD4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc67:*:*:*:node.js:*:*",
"matchCriteriaId": "77ABA1B7-BEC0-4844-AC3D-C50A5F95A975",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc68:*:*:*:node.js:*:*",
"matchCriteriaId": "C5B334CE-C90C-4C16-BC8A-31EB96E08424",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc69:*:*:*:node.js:*:*",
"matchCriteriaId": "626AB55C-5EA2-4BF1-B71D-AA3C3F938079",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc7:*:*:*:node.js:*:*",
"matchCriteriaId": "5D74C6A7-DAB2-4332-8812-5006AC7C5059",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc70:*:*:*:node.js:*:*",
"matchCriteriaId": "F6936811-46AC-4FBF-BF9A-B79C26903F60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc71:*:*:*:node.js:*:*",
"matchCriteriaId": "BEB1D541-83EB-4696-BB4C-459D2868E3AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc72:*:*:*:node.js:*:*",
"matchCriteriaId": "9B673CB8-3D2C-4B5F-8C74-B0CB6A4E4AE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc73:*:*:*:node.js:*:*",
"matchCriteriaId": "30627639-77FB-4BD2-BAA6-B836D69C6CB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc74:*:*:*:node.js:*:*",
"matchCriteriaId": "DC13B24F-0654-4EE9-9560-F9B1C84964BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc75:*:*:*:node.js:*:*",
"matchCriteriaId": "45678A24-A6C5-4102-9556-C3C437E51034",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc76:*:*:*:node.js:*:*",
"matchCriteriaId": "FDA41F0C-5EE0-4441-A332-FE8EE0BBD559",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc77:*:*:*:node.js:*:*",
"matchCriteriaId": "54DBA109-30ED-469B-AC70-1F31EFFD895F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc78:*:*:*:node.js:*:*",
"matchCriteriaId": "B8A55B14-3AD3-407E-964E-C211D1C5F018",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc79:*:*:*:node.js:*:*",
"matchCriteriaId": "FE0630B0-6279-424B-94F1-78589D369D5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc8:*:*:*:node.js:*:*",
"matchCriteriaId": "4304B6AF-77C8-4897-B7AC-C7799F4B3D1E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc80:*:*:*:node.js:*:*",
"matchCriteriaId": "13DEE564-F460-4A9B-93B9-A0750B5A1095",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc81:*:*:*:node.js:*:*",
"matchCriteriaId": "26F7F097-03E4-4967-A468-F228E16DE399",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc82:*:*:*:node.js:*:*",
"matchCriteriaId": "A60A7249-DE56-4246-AB5B-8985E1A9D348",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc83:*:*:*:node.js:*:*",
"matchCriteriaId": "B94C26B2-BB7C-4D1F-A3F1-FDB6D41820EC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc84:*:*:*:node.js:*:*",
"matchCriteriaId": "56E73854-4DA2-49A5-B294-9E6D220E27A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc85:*:*:*:node.js:*:*",
"matchCriteriaId": "67C502CB-97AA-41BF-97FA-96ADB2E8085C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc86:*:*:*:node.js:*:*",
"matchCriteriaId": "A3183D41-C6BC-40CD-8664-A3E0B4F53B85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc87:*:*:*:node.js:*:*",
"matchCriteriaId": "E2C9DFE7-1FE6-4B16-860A-705E93A9CAA5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc88:*:*:*:node.js:*:*",
"matchCriteriaId": "4F5F54F5-2DAE-497E-9B6A-1CFCCD2DDA26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc89:*:*:*:node.js:*:*",
"matchCriteriaId": "D0E93F86-5540-4824-A633-1FB7554C7667",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc9:*:*:*:node.js:*:*",
"matchCriteriaId": "3EAB3390-7226-48C1-9733-DF10F00ABF23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc90:*:*:*:node.js:*:*",
"matchCriteriaId": "8C54A473-18C8-4FD0-A72F-DFF16FA6C2C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc91:*:*:*:node.js:*:*",
"matchCriteriaId": "481855FA-4917-477C-9048-91A2D5AB5C89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc92:*:*:*:node.js:*:*",
"matchCriteriaId": "4599AB33-9E40-4160-8E96-2B40BBC30FDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc93:*:*:*:node.js:*:*",
"matchCriteriaId": "25F6546A-0910-4834-870A-F7E2F96FC63B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc94:*:*:*:node.js:*:*",
"matchCriteriaId": "FE9469F4-4344-4AA1-B94F-14380B8E47CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc95:*:*:*:node.js:*:*",
"matchCriteriaId": "DF391F49-3CB0-4B24-B162-D63E029003B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc96:*:*:*:node.js:*:*",
"matchCriteriaId": "9B8C3A2D-6485-4211-A4E1-C4AEFC96501B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc97:*:*:*:node.js:*:*",
"matchCriteriaId": "20FC540E-0C8E-4CEF-9A82-94637C1381EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc98:*:*:*:node.js:*:*",
"matchCriteriaId": "3E00F86C-5BDD-43C4-BCE5-DAA151C2FF1E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:monospace:directus:9.0.0:rc99:*:*:*:node.js:*:*",
"matchCriteriaId": "2EB1F36B-2212-4911-A417-1C4604793F8B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0-alpha.4 and prior to version 11.5.0, the `search` query parameter allows users with access to a collection to filter items based on fields they do not have permission to view. This allows the enumeration of unknown field contents. The searchable columns (numbers \u0026 strings) are not checked against permissions when injecting the `where` clauses for applying the search query. This leads to the possibility of enumerating those un-permitted fields. Version 11.5.0 fixes the issue."
},
{
"lang": "es",
"value": "Directus es una API en tiempo real y un panel de control para aplicaciones que gestiona el contenido de bases de datos SQL. A partir de la versi\u00f3n 9.0.0-alpha.4 y anteriores a la 11.5.0, el par\u00e1metro de consulta `search` permite a los usuarios con acceso a una colecci\u00f3n filtrar elementos seg\u00fan los campos que no tienen permiso para ver. Esto permite enumerar el contenido de campos desconocidos. Las columnas de b\u00fasqueda (n\u00fameros y cadenas) no se verifican con los permisos al inyectar las cl\u00e1usulas `where` para aplicar la consulta de b\u00fasqueda. Esto permite enumerar los campos no permitidos. La versi\u00f3n 11.5.0 soluciona este problema."
}
],
"id": "CVE-2025-30352",
"lastModified": "2025-08-26T01:41:50.303",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-03-26T18:15:27.080",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/directus/directus/commit/ac5a9964d9926f20dc063a74cb417dc7bbad676d"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-7wq3-jr35-275c"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-7wq3-jr35-275c"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2025-30353
Vulnerability from fkie_nvd - Published: 2025-03-26 18:15 - Updated: 2025-08-26 01:47
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data. This issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse. Version 11.5.0 fixes the issue.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/directus/directus/security/advisories/GHSA-fm3h-p9wm-h74h | Exploit, Third Party Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/directus/directus/security/advisories/GHSA-fm3h-p9wm-h74h | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "F6E0D59B-7EE8-4275-BE4F-10D92F7D51EC",
"versionEndExcluding": "11.5.0",
"versionStartIncluding": "9.12.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the \"Webhook\" trigger and the \"Data of Last Operation\" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data. This issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse. Version 11.5.0 fixes the issue."
},
{
"lang": "es",
"value": "Directus es un panel de control de API y aplicaciones en tiempo real para gestionar el contenido de bases de datos SQL. A partir de la versi\u00f3n 9.12.0 y anteriores a la 11.5.0, cuando un flujo con el disparador \"Webhook\" y el cuerpo de respuesta \"Datos de la \u00faltima operaci\u00f3n\" encuentra un error de validaci\u00f3n generado por una operaci\u00f3n condicional fallida, la respuesta de la API incluye datos confidenciales. Estos incluyen variables de entorno, claves de API confidenciales, informaci\u00f3n de responsabilidad del usuario y datos operativos. Este problema supone un riesgo de seguridad significativo, ya que cualquier exposici\u00f3n involuntaria de estos datos podr\u00eda dar lugar a un posible uso indebido. La versi\u00f3n 11.5.0 soluciona el problema."
}
],
"id": "CVE-2025-30353",
"lastModified": "2025-08-26T01:47:43.713",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-03-26T18:15:27.327",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-fm3h-p9wm-h74h"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-fm3h-p9wm-h74h"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2025-30351
Vulnerability from fkie_nvd - Published: 2025-03-26 18:15 - Updated: 2025-08-26 01:36
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.10.0 and prior to version 11.5.0, a suspended user can use the token generated in session auth mode to access the API despite their status. This happens because there is a check missing in `verifySessionJWT` to verify that a user is actually still active and allowed to access the API. One can extract the session token obtained by, e.g. login in to the app while still active and then, after the user has been suspended continue to use that token until it expires. Version 11.5.0 patches the issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "BA77CBCA-A96F-454B-88FE-6E37F84A5604",
"versionEndExcluding": "11.5.0",
"versionStartIncluding": "10.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.10.0 and prior to version 11.5.0, a suspended user can use the token generated in session auth mode to access the API despite their status. This happens because there is a check missing in `verifySessionJWT` to verify that a user is actually still active and allowed to access the API. One can extract the session token obtained by, e.g. login in to the app while still active and then, after the user has been suspended continue to use that token until it expires. Version 11.5.0 patches the issue."
},
{
"lang": "es",
"value": "Directus es un panel de control de API y aplicaciones en tiempo real para gestionar el contenido de bases de datos SQL. A partir de la versi\u00f3n 10.10.0 y anteriores a la 11.5.0, un usuario suspendido puede usar el token generado en el modo de autenticaci\u00f3n de sesi\u00f3n para acceder a la API, independientemente de su estado. Esto se debe a que falta una comprobaci\u00f3n en `verifySessionJWT` para verificar que un usuario siga activo y tenga permiso para acceder a la API. Se puede extraer el token de sesi\u00f3n obtenido, por ejemplo, iniciando sesi\u00f3n en la aplicaci\u00f3n mientras el usuario sigue activo y, una vez suspendido, seguir us\u00e1ndolo hasta que caduque. La versi\u00f3n 11.5.0 soluciona el problema."
}
],
"id": "CVE-2025-30351",
"lastModified": "2025-08-26T01:36:01.170",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-03-26T18:15:26.873",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/directus/directus/commit/ef179931c55b50c110feca8404901d5633940771"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-56p6-qw3c-fq2g"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-56p6-qw3c-fq2g"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-672"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
CVE-2025-64749 (GCVE-0-2025-64749)
Vulnerability from cvelistv5 – Published: 2025-11-13 21:34 – Updated: 2025-11-14 17:15
VLAI?
Title
Directus Vulnerable to Information Leakage in Existing Collections
Summary
Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for two cases: when a user tries to access an existing collection which they are not authorized to access, and when user tries to access a non-existing collection. The two differing error messages leak the existence of collections to users which are not authorized to access these collections. Version 11.13.0 fixes the issue.
Severity ?
4.3 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64749",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-14T17:14:48.614823Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-14T17:15:38.905Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "directus",
"vendor": "directus",
"versions": [
{
"status": "affected",
"version": "\u003c 11.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for two cases: when a user tries to access an existing collection which they are not authorized to access, and when user tries to access a non-existing collection. The two differing error messages leak the existence of collections to users which are not authorized to access these collections. Version 11.13.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-203",
"description": "CWE-203: Observable Discrepancy",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209: Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T21:34:54.603Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/directus/directus/security/advisories/GHSA-cph6-524f-3hgr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-cph6-524f-3hgr"
},
{
"name": "https://github.com/directus/directus/commit/f99c9b89071f9d136cc9b0d0c182f2d24542bc31",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/commit/f99c9b89071f9d136cc9b0d0c182f2d24542bc31"
}
],
"source": {
"advisory": "GHSA-cph6-524f-3hgr",
"discovery": "UNKNOWN"
},
"title": "Directus Vulnerable to Information Leakage in Existing Collections"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64749",
"datePublished": "2025-11-13T21:34:54.603Z",
"dateReserved": "2025-11-10T22:29:34.873Z",
"dateUpdated": "2025-11-14T17:15:38.905Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64748 (GCVE-0-2025-64748)
Vulnerability from cvelistv5 – Published: 2025-11-13 21:29 – Updated: 2025-11-13 21:39
VLAI?
Title
Directus's conceal fields are searchable if read permissions enabled
Summary
Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data. Version 11.13.0 fixes the issue.
Severity ?
6.5 (Medium)
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64748",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T21:39:19.195130Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T21:39:43.765Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "directus",
"vendor": "directus",
"versions": [
{
"status": "affected",
"version": "\u003c 11.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data. Version 11.13.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T21:29:44.649Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/directus/directus/security/advisories/GHSA-8jpw-gpr4-8cmh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-8jpw-gpr4-8cmh"
},
{
"name": "https://github.com/directus/directus/commit/7737d56e096f95edfbdf861a3c08999ad31ce204",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/commit/7737d56e096f95edfbdf861a3c08999ad31ce204"
}
],
"source": {
"advisory": "GHSA-8jpw-gpr4-8cmh",
"discovery": "UNKNOWN"
},
"title": "Directus\u0027s conceal fields are searchable if read permissions enabled"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64748",
"datePublished": "2025-11-13T21:29:44.649Z",
"dateReserved": "2025-11-10T22:29:34.872Z",
"dateUpdated": "2025-11-13T21:39:43.765Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64747 (GCVE-0-2025-64747)
Vulnerability from cvelistv5 – Published: 2025-11-13 21:13 – Updated: 2025-11-13 21:33
VLAI?
Title
Directus Vulnerable to Stored Cross-site Scripting
Summary
Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 11.13.0 that allows users with `upload files` and `edit item` permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by combining file uploads with iframe srcdoc attributes, resulting in persistent XSS execution. Version 11.13.0 fixes the issue.
Severity ?
5.5 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64747",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T21:33:34.130224Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T21:33:55.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "directus",
"vendor": "directus",
"versions": [
{
"status": "affected",
"version": "\u003c 11.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 11.13.0 that allows users with `upload files` and `edit item` permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by combining file uploads with iframe srcdoc attributes, resulting in persistent XSS execution. Version 11.13.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T21:13:42.627Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/directus/directus/security/advisories/GHSA-vv2v-pw69-8crf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-vv2v-pw69-8crf"
},
{
"name": "https://github.com/directus/directus/commit/d23525317f0780f04aa1fe7a99171a358e43cb2e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/commit/d23525317f0780f04aa1fe7a99171a358e43cb2e"
}
],
"source": {
"advisory": "GHSA-vv2v-pw69-8crf",
"discovery": "UNKNOWN"
},
"title": "Directus Vulnerable to Stored Cross-site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64747",
"datePublished": "2025-11-13T21:13:42.627Z",
"dateReserved": "2025-11-10T22:29:34.872Z",
"dateUpdated": "2025-11-13T21:33:55.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64746 (GCVE-0-2025-64746)
Vulnerability from cvelistv5 – Published: 2025-11-13 20:54 – Updated: 2025-11-13 21:19
VLAI?
Title
Directus has Improper Permission Handling on Deleted Fields
Summary
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table remains intact. This stale reference creates a security gap: if another field is later created using the same name, it inherits the outdated permission entry. This behavior can unintentionally grant roles access to data they should not be able to read or modify. The issue is particularly risky in multi-tenant or production environments, where administrators may reuse field names, assuming old permissions have been fully cleared. Version 11.13.0 fixes the issue.
Severity ?
4.6 (Medium)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64746",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T21:18:13.759196Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T21:19:01.907Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "directus",
"vendor": "directus",
"versions": [
{
"status": "affected",
"version": "\u003c 11.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table remains intact. This stale reference creates a security gap: if another field is later created using the same name, it inherits the outdated permission entry. This behavior can unintentionally grant roles access to data they should not be able to read or modify. The issue is particularly risky in multi-tenant or production environments, where administrators may reuse field names, assuming old permissions have been fully cleared. Version 11.13.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T20:54:42.351Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/directus/directus/security/advisories/GHSA-9x5g-62gj-wqf2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-9x5g-62gj-wqf2"
},
{
"name": "https://github.com/directus/directus/commit/84d7636969083387164ce5d2fd15a65e11e2d0b8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/commit/84d7636969083387164ce5d2fd15a65e11e2d0b8"
}
],
"source": {
"advisory": "GHSA-9x5g-62gj-wqf2",
"discovery": "UNKNOWN"
},
"title": "Directus has Improper Permission Handling on Deleted Fields"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64746",
"datePublished": "2025-11-13T20:54:42.351Z",
"dateReserved": "2025-11-10T22:29:34.872Z",
"dateUpdated": "2025-11-13T21:19:01.907Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-53889 (GCVE-0-2025-53889)
Vulnerability from cvelistv5 – Published: 2025-07-14 23:50 – Updated: 2025-07-15 19:48
VLAI?
Title
Directus missing permission checks for manual trigger Flows
Summary
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what the Flow is set up to do this can lead to the Flow executing potential tasks on the attacker's behalf without authenticating. Bad actors could execute the manual trigger Flows without authentication, or access rights to the said collection(s) or item(s). Users with manual trigger Flows configured are impacted as these endpoints do not currently validate if the user has read access to `directus_flows` or to the relevant collection/items. The manual trigger Flows should have tighter security requirements as compared to webhook Flows where users are expected to perform do their own checks. Version 11.9.0 fixes the issue. As a workaround, implement permission checks for read access to Flows and read access to relevant collection/items.
Severity ?
6.5 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53889",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-15T13:43:29.307725Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T19:48:56.003Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "directus",
"vendor": "directus",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.12.0, \u003c 11.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what the Flow is set up to do this can lead to the Flow executing potential tasks on the attacker\u0027s behalf without authenticating. Bad actors could execute the manual trigger Flows without authentication, or access rights to the said collection(s) or item(s). Users with manual trigger Flows configured are impacted as these endpoints do not currently validate if the user has read access to `directus_flows` or to the relevant collection/items. The manual trigger Flows should have tighter security requirements as compared to webhook Flows where users are expected to perform do their own checks. Version 11.9.0 fixes the issue. As a workaround, implement permission checks for read access to Flows and read access to relevant collection/items."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T23:50:23.283Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/directus/directus/security/advisories/GHSA-7cvf-pxgp-42fc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-7cvf-pxgp-42fc"
},
{
"name": "https://github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb083fb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb083fb"
},
{
"name": "https://github.com/directus/directus/releases/tag/v11.9.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/releases/tag/v11.9.0"
}
],
"source": {
"advisory": "GHSA-7cvf-pxgp-42fc",
"discovery": "UNKNOWN"
},
"title": "Directus missing permission checks for manual trigger Flows"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53889",
"datePublished": "2025-07-14T23:50:23.283Z",
"dateReserved": "2025-07-11T19:05:23.824Z",
"dateUpdated": "2025-07-15T19:48:56.003Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53887 (GCVE-0-2025-53887)
Vulnerability from cvelistv5 – Published: 2025-07-14 23:40 – Updated: 2025-07-15 19:49
VLAI?
Title
Directus's exact version number is exposed by the OpenAPI Spec
Summary
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, the exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the `/server/specs/oas` endpoint without authentication. With the exact version information a malicious attacker can look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version. Version 11.9.0 fixes the issue.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53887",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-15T13:45:18.982488Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T19:49:03.448Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "directus",
"vendor": "directus",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.0.0, \u003c 11.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, the exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the `/server/specs/oas` endpoint without authentication. With the exact version information a malicious attacker can look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version. Version 11.9.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T23:49:23.311Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/directus/directus/security/advisories/GHSA-rmjh-cf9q-pv7q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-rmjh-cf9q-pv7q"
},
{
"name": "https://github.com/directus/directus/pull/25353",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/pull/25353"
},
{
"name": "https://github.com/directus/directus/commit/e74f3e4e92edc33b5f83eefb001a3d2a85af17a3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/commit/e74f3e4e92edc33b5f83eefb001a3d2a85af17a3"
},
{
"name": "https://github.com/directus/directus/releases/tag/v11.9.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/releases/tag/v11.9.0"
}
],
"source": {
"advisory": "GHSA-rmjh-cf9q-pv7q",
"discovery": "UNKNOWN"
},
"title": "Directus\u0027s exact version number is exposed by the OpenAPI Spec"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53887",
"datePublished": "2025-07-14T23:40:59.198Z",
"dateReserved": "2025-07-11T19:05:23.824Z",
"dateUpdated": "2025-07-15T19:49:03.448Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53886 (GCVE-0-2025-53886)
Vulnerability from cvelistv5 – Published: 2025-07-14 23:35 – Updated: 2025-07-15 13:41
VLAI?
Title
Directus doesn't redact tokens in Flow logs
Summary
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming request details are logged including security sensitive data like access and refresh tokens in cookies. Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them triggering the Flow. Version 11.9.0 fixes the issue.
Severity ?
4.5 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53886",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-15T13:41:05.387368Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T13:41:18.865Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "directus",
"vendor": "directus",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.0.0, \u003c 11.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming request details are logged including security sensitive data like access and refresh tokens in cookies. Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them triggering the Flow. Version 11.9.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-212",
"description": "CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T23:35:56.448Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/directus/directus/security/advisories/GHSA-f24x-rm6g-3w5v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-f24x-rm6g-3w5v"
},
{
"name": "https://github.com/directus/directus/pull/25354",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/pull/25354"
},
{
"name": "https://github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb083fb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb083fb"
},
{
"name": "https://github.com/directus/directus/releases/tag/v11.9.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/releases/tag/v11.9.0"
}
],
"source": {
"advisory": "GHSA-f24x-rm6g-3w5v",
"discovery": "UNKNOWN"
},
"title": "Directus doesn\u0027t redact tokens in Flow logs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53886",
"datePublished": "2025-07-14T23:35:56.448Z",
"dateReserved": "2025-07-11T19:05:23.824Z",
"dateUpdated": "2025-07-15T13:41:18.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53885 (GCVE-0-2025-53885)
Vulnerability from cvelistv5 – Published: 2025-07-14 23:18 – Updated: 2025-07-15 13:43
VLAI?
Title
Directus doesn't redact sensitive user data when logging via event hooks
Summary
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the "Log to Console" operation and a template string. Malicious admins can log sensitive data from other users when they are created or updated. Version 11.9.0 contains a fix for the issue. As a workaround, avoid logging sensitive data to the console outside the context of development.
Severity ?
4.2 (Medium)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53885",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-15T13:43:27.488182Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T13:43:35.843Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "directus",
"vendor": "directus",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.0.0, \u003c 11.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the \"Log to Console\" operation and a template string. Malicious admins can log sensitive data from other users when they are created or updated. Version 11.9.0 contains a fix for the issue. As a workaround, avoid logging sensitive data to the console outside the context of development."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T23:18:57.503Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/directus/directus/security/advisories/GHSA-x3vm-88hf-gpxp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-x3vm-88hf-gpxp"
},
{
"name": "https://github.com/directus/directus/pull/25355",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/pull/25355"
},
{
"name": "https://github.com/directus/directus/commit/859f664f56fb50401c407b095889cea38ff580e5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/commit/859f664f56fb50401c407b095889cea38ff580e5"
},
{
"name": "https://github.com/directus/directus/releases/tag/v11.9.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/releases/tag/v11.9.0"
}
],
"source": {
"advisory": "GHSA-x3vm-88hf-gpxp",
"discovery": "UNKNOWN"
},
"title": "Directus doesn\u0027t redact sensitive user data when logging via event hooks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53885",
"datePublished": "2025-07-14T23:18:57.503Z",
"dateReserved": "2025-07-11T19:05:23.824Z",
"dateUpdated": "2025-07-15T13:43:35.843Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30353 (GCVE-0-2025-30353)
Vulnerability from cvelistv5 – Published: 2025-03-26 17:26 – Updated: 2025-03-26 17:44
VLAI?
Title
Directus's webhook trigger flows can leak sensitive data
Summary
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data. This issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse. Version 11.5.0 fixes the issue.
Severity ?
8.6 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30353",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T17:43:59.404279Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T17:44:22.290Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-fm3h-p9wm-h74h"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "directus",
"vendor": "directus",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.12.0, \u003c 11.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the \"Webhook\" trigger and the \"Data of Last Operation\" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data. This issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse. Version 11.5.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T17:26:51.803Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/directus/directus/security/advisories/GHSA-fm3h-p9wm-h74h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-fm3h-p9wm-h74h"
}
],
"source": {
"advisory": "GHSA-fm3h-p9wm-h74h",
"discovery": "UNKNOWN"
},
"title": "Directus\u0027s webhook trigger flows can leak sensitive data"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30353",
"datePublished": "2025-03-26T17:26:51.803Z",
"dateReserved": "2025-03-21T14:12:06.270Z",
"dateUpdated": "2025-03-26T17:44:22.290Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30352 (GCVE-0-2025-30352)
Vulnerability from cvelistv5 – Published: 2025-03-26 17:18 – Updated: 2025-03-27 15:15
VLAI?
Title
Directus `search` query parameter allows enumeration of non permitted fields
Summary
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0-alpha.4 and prior to version 11.5.0, the `search` query parameter allows users with access to a collection to filter items based on fields they do not have permission to view. This allows the enumeration of unknown field contents. The searchable columns (numbers & strings) are not checked against permissions when injecting the `where` clauses for applying the search query. This leads to the possibility of enumerating those un-permitted fields. Version 11.5.0 fixes the issue.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30352",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T15:14:43.647720Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T15:15:07.652Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-7wq3-jr35-275c"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "directus",
"vendor": "directus",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.0.0-alpha.4, \u003c 11.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0-alpha.4 and prior to version 11.5.0, the `search` query parameter allows users with access to a collection to filter items based on fields they do not have permission to view. This allows the enumeration of unknown field contents. The searchable columns (numbers \u0026 strings) are not checked against permissions when injecting the `where` clauses for applying the search query. This leads to the possibility of enumerating those un-permitted fields. Version 11.5.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T17:18:39.567Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/directus/directus/security/advisories/GHSA-7wq3-jr35-275c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-7wq3-jr35-275c"
},
{
"name": "https://github.com/directus/directus/commit/ac5a9964d9926f20dc063a74cb417dc7bbad676d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/commit/ac5a9964d9926f20dc063a74cb417dc7bbad676d"
}
],
"source": {
"advisory": "GHSA-7wq3-jr35-275c",
"discovery": "UNKNOWN"
},
"title": "Directus `search` query parameter allows enumeration of non permitted fields"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30352",
"datePublished": "2025-03-26T17:18:39.567Z",
"dateReserved": "2025-03-21T14:12:06.270Z",
"dateUpdated": "2025-03-27T15:15:07.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-64749 (GCVE-0-2025-64749)
Vulnerability from nvd – Published: 2025-11-13 21:34 – Updated: 2025-11-14 17:15
VLAI?
Title
Directus Vulnerable to Information Leakage in Existing Collections
Summary
Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for two cases: when a user tries to access an existing collection which they are not authorized to access, and when user tries to access a non-existing collection. The two differing error messages leak the existence of collections to users which are not authorized to access these collections. Version 11.13.0 fixes the issue.
Severity ?
4.3 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64749",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-14T17:14:48.614823Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-14T17:15:38.905Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "directus",
"vendor": "directus",
"versions": [
{
"status": "affected",
"version": "\u003c 11.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for two cases: when a user tries to access an existing collection which they are not authorized to access, and when user tries to access a non-existing collection. The two differing error messages leak the existence of collections to users which are not authorized to access these collections. Version 11.13.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-203",
"description": "CWE-203: Observable Discrepancy",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209: Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T21:34:54.603Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/directus/directus/security/advisories/GHSA-cph6-524f-3hgr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-cph6-524f-3hgr"
},
{
"name": "https://github.com/directus/directus/commit/f99c9b89071f9d136cc9b0d0c182f2d24542bc31",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/commit/f99c9b89071f9d136cc9b0d0c182f2d24542bc31"
}
],
"source": {
"advisory": "GHSA-cph6-524f-3hgr",
"discovery": "UNKNOWN"
},
"title": "Directus Vulnerable to Information Leakage in Existing Collections"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64749",
"datePublished": "2025-11-13T21:34:54.603Z",
"dateReserved": "2025-11-10T22:29:34.873Z",
"dateUpdated": "2025-11-14T17:15:38.905Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64748 (GCVE-0-2025-64748)
Vulnerability from nvd – Published: 2025-11-13 21:29 – Updated: 2025-11-13 21:39
VLAI?
Title
Directus's conceal fields are searchable if read permissions enabled
Summary
Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data. Version 11.13.0 fixes the issue.
Severity ?
6.5 (Medium)
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64748",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T21:39:19.195130Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T21:39:43.765Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "directus",
"vendor": "directus",
"versions": [
{
"status": "affected",
"version": "\u003c 11.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data. Version 11.13.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T21:29:44.649Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/directus/directus/security/advisories/GHSA-8jpw-gpr4-8cmh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-8jpw-gpr4-8cmh"
},
{
"name": "https://github.com/directus/directus/commit/7737d56e096f95edfbdf861a3c08999ad31ce204",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/commit/7737d56e096f95edfbdf861a3c08999ad31ce204"
}
],
"source": {
"advisory": "GHSA-8jpw-gpr4-8cmh",
"discovery": "UNKNOWN"
},
"title": "Directus\u0027s conceal fields are searchable if read permissions enabled"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64748",
"datePublished": "2025-11-13T21:29:44.649Z",
"dateReserved": "2025-11-10T22:29:34.872Z",
"dateUpdated": "2025-11-13T21:39:43.765Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64747 (GCVE-0-2025-64747)
Vulnerability from nvd – Published: 2025-11-13 21:13 – Updated: 2025-11-13 21:33
VLAI?
Title
Directus Vulnerable to Stored Cross-site Scripting
Summary
Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 11.13.0 that allows users with `upload files` and `edit item` permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by combining file uploads with iframe srcdoc attributes, resulting in persistent XSS execution. Version 11.13.0 fixes the issue.
Severity ?
5.5 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64747",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T21:33:34.130224Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T21:33:55.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "directus",
"vendor": "directus",
"versions": [
{
"status": "affected",
"version": "\u003c 11.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 11.13.0 that allows users with `upload files` and `edit item` permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by combining file uploads with iframe srcdoc attributes, resulting in persistent XSS execution. Version 11.13.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T21:13:42.627Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/directus/directus/security/advisories/GHSA-vv2v-pw69-8crf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-vv2v-pw69-8crf"
},
{
"name": "https://github.com/directus/directus/commit/d23525317f0780f04aa1fe7a99171a358e43cb2e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/commit/d23525317f0780f04aa1fe7a99171a358e43cb2e"
}
],
"source": {
"advisory": "GHSA-vv2v-pw69-8crf",
"discovery": "UNKNOWN"
},
"title": "Directus Vulnerable to Stored Cross-site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64747",
"datePublished": "2025-11-13T21:13:42.627Z",
"dateReserved": "2025-11-10T22:29:34.872Z",
"dateUpdated": "2025-11-13T21:33:55.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64746 (GCVE-0-2025-64746)
Vulnerability from nvd – Published: 2025-11-13 20:54 – Updated: 2025-11-13 21:19
VLAI?
Title
Directus has Improper Permission Handling on Deleted Fields
Summary
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table remains intact. This stale reference creates a security gap: if another field is later created using the same name, it inherits the outdated permission entry. This behavior can unintentionally grant roles access to data they should not be able to read or modify. The issue is particularly risky in multi-tenant or production environments, where administrators may reuse field names, assuming old permissions have been fully cleared. Version 11.13.0 fixes the issue.
Severity ?
4.6 (Medium)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64746",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T21:18:13.759196Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T21:19:01.907Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "directus",
"vendor": "directus",
"versions": [
{
"status": "affected",
"version": "\u003c 11.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table remains intact. This stale reference creates a security gap: if another field is later created using the same name, it inherits the outdated permission entry. This behavior can unintentionally grant roles access to data they should not be able to read or modify. The issue is particularly risky in multi-tenant or production environments, where administrators may reuse field names, assuming old permissions have been fully cleared. Version 11.13.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T20:54:42.351Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/directus/directus/security/advisories/GHSA-9x5g-62gj-wqf2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-9x5g-62gj-wqf2"
},
{
"name": "https://github.com/directus/directus/commit/84d7636969083387164ce5d2fd15a65e11e2d0b8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/commit/84d7636969083387164ce5d2fd15a65e11e2d0b8"
}
],
"source": {
"advisory": "GHSA-9x5g-62gj-wqf2",
"discovery": "UNKNOWN"
},
"title": "Directus has Improper Permission Handling on Deleted Fields"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64746",
"datePublished": "2025-11-13T20:54:42.351Z",
"dateReserved": "2025-11-10T22:29:34.872Z",
"dateUpdated": "2025-11-13T21:19:01.907Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-53889 (GCVE-0-2025-53889)
Vulnerability from nvd – Published: 2025-07-14 23:50 – Updated: 2025-07-15 19:48
VLAI?
Title
Directus missing permission checks for manual trigger Flows
Summary
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what the Flow is set up to do this can lead to the Flow executing potential tasks on the attacker's behalf without authenticating. Bad actors could execute the manual trigger Flows without authentication, or access rights to the said collection(s) or item(s). Users with manual trigger Flows configured are impacted as these endpoints do not currently validate if the user has read access to `directus_flows` or to the relevant collection/items. The manual trigger Flows should have tighter security requirements as compared to webhook Flows where users are expected to perform do their own checks. Version 11.9.0 fixes the issue. As a workaround, implement permission checks for read access to Flows and read access to relevant collection/items.
Severity ?
6.5 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53889",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-15T13:43:29.307725Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T19:48:56.003Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "directus",
"vendor": "directus",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.12.0, \u003c 11.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what the Flow is set up to do this can lead to the Flow executing potential tasks on the attacker\u0027s behalf without authenticating. Bad actors could execute the manual trigger Flows without authentication, or access rights to the said collection(s) or item(s). Users with manual trigger Flows configured are impacted as these endpoints do not currently validate if the user has read access to `directus_flows` or to the relevant collection/items. The manual trigger Flows should have tighter security requirements as compared to webhook Flows where users are expected to perform do their own checks. Version 11.9.0 fixes the issue. As a workaround, implement permission checks for read access to Flows and read access to relevant collection/items."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T23:50:23.283Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/directus/directus/security/advisories/GHSA-7cvf-pxgp-42fc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-7cvf-pxgp-42fc"
},
{
"name": "https://github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb083fb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb083fb"
},
{
"name": "https://github.com/directus/directus/releases/tag/v11.9.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/releases/tag/v11.9.0"
}
],
"source": {
"advisory": "GHSA-7cvf-pxgp-42fc",
"discovery": "UNKNOWN"
},
"title": "Directus missing permission checks for manual trigger Flows"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53889",
"datePublished": "2025-07-14T23:50:23.283Z",
"dateReserved": "2025-07-11T19:05:23.824Z",
"dateUpdated": "2025-07-15T19:48:56.003Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53887 (GCVE-0-2025-53887)
Vulnerability from nvd – Published: 2025-07-14 23:40 – Updated: 2025-07-15 19:49
VLAI?
Title
Directus's exact version number is exposed by the OpenAPI Spec
Summary
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, the exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the `/server/specs/oas` endpoint without authentication. With the exact version information a malicious attacker can look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version. Version 11.9.0 fixes the issue.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53887",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-15T13:45:18.982488Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T19:49:03.448Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "directus",
"vendor": "directus",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.0.0, \u003c 11.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, the exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the `/server/specs/oas` endpoint without authentication. With the exact version information a malicious attacker can look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version. Version 11.9.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T23:49:23.311Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/directus/directus/security/advisories/GHSA-rmjh-cf9q-pv7q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-rmjh-cf9q-pv7q"
},
{
"name": "https://github.com/directus/directus/pull/25353",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/pull/25353"
},
{
"name": "https://github.com/directus/directus/commit/e74f3e4e92edc33b5f83eefb001a3d2a85af17a3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/commit/e74f3e4e92edc33b5f83eefb001a3d2a85af17a3"
},
{
"name": "https://github.com/directus/directus/releases/tag/v11.9.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/releases/tag/v11.9.0"
}
],
"source": {
"advisory": "GHSA-rmjh-cf9q-pv7q",
"discovery": "UNKNOWN"
},
"title": "Directus\u0027s exact version number is exposed by the OpenAPI Spec"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53887",
"datePublished": "2025-07-14T23:40:59.198Z",
"dateReserved": "2025-07-11T19:05:23.824Z",
"dateUpdated": "2025-07-15T19:49:03.448Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53886 (GCVE-0-2025-53886)
Vulnerability from nvd – Published: 2025-07-14 23:35 – Updated: 2025-07-15 13:41
VLAI?
Title
Directus doesn't redact tokens in Flow logs
Summary
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming request details are logged including security sensitive data like access and refresh tokens in cookies. Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them triggering the Flow. Version 11.9.0 fixes the issue.
Severity ?
4.5 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53886",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-15T13:41:05.387368Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T13:41:18.865Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "directus",
"vendor": "directus",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.0.0, \u003c 11.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming request details are logged including security sensitive data like access and refresh tokens in cookies. Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them triggering the Flow. Version 11.9.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-212",
"description": "CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T23:35:56.448Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/directus/directus/security/advisories/GHSA-f24x-rm6g-3w5v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-f24x-rm6g-3w5v"
},
{
"name": "https://github.com/directus/directus/pull/25354",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/pull/25354"
},
{
"name": "https://github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb083fb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb083fb"
},
{
"name": "https://github.com/directus/directus/releases/tag/v11.9.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/releases/tag/v11.9.0"
}
],
"source": {
"advisory": "GHSA-f24x-rm6g-3w5v",
"discovery": "UNKNOWN"
},
"title": "Directus doesn\u0027t redact tokens in Flow logs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53886",
"datePublished": "2025-07-14T23:35:56.448Z",
"dateReserved": "2025-07-11T19:05:23.824Z",
"dateUpdated": "2025-07-15T13:41:18.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53885 (GCVE-0-2025-53885)
Vulnerability from nvd – Published: 2025-07-14 23:18 – Updated: 2025-07-15 13:43
VLAI?
Title
Directus doesn't redact sensitive user data when logging via event hooks
Summary
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the "Log to Console" operation and a template string. Malicious admins can log sensitive data from other users when they are created or updated. Version 11.9.0 contains a fix for the issue. As a workaround, avoid logging sensitive data to the console outside the context of development.
Severity ?
4.2 (Medium)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53885",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-15T13:43:27.488182Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T13:43:35.843Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "directus",
"vendor": "directus",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.0.0, \u003c 11.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the \"Log to Console\" operation and a template string. Malicious admins can log sensitive data from other users when they are created or updated. Version 11.9.0 contains a fix for the issue. As a workaround, avoid logging sensitive data to the console outside the context of development."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T23:18:57.503Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/directus/directus/security/advisories/GHSA-x3vm-88hf-gpxp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-x3vm-88hf-gpxp"
},
{
"name": "https://github.com/directus/directus/pull/25355",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/pull/25355"
},
{
"name": "https://github.com/directus/directus/commit/859f664f56fb50401c407b095889cea38ff580e5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/commit/859f664f56fb50401c407b095889cea38ff580e5"
},
{
"name": "https://github.com/directus/directus/releases/tag/v11.9.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/releases/tag/v11.9.0"
}
],
"source": {
"advisory": "GHSA-x3vm-88hf-gpxp",
"discovery": "UNKNOWN"
},
"title": "Directus doesn\u0027t redact sensitive user data when logging via event hooks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53885",
"datePublished": "2025-07-14T23:18:57.503Z",
"dateReserved": "2025-07-11T19:05:23.824Z",
"dateUpdated": "2025-07-15T13:43:35.843Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30353 (GCVE-0-2025-30353)
Vulnerability from nvd – Published: 2025-03-26 17:26 – Updated: 2025-03-26 17:44
VLAI?
Title
Directus's webhook trigger flows can leak sensitive data
Summary
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data. This issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse. Version 11.5.0 fixes the issue.
Severity ?
8.6 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30353",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T17:43:59.404279Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T17:44:22.290Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-fm3h-p9wm-h74h"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "directus",
"vendor": "directus",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.12.0, \u003c 11.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the \"Webhook\" trigger and the \"Data of Last Operation\" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data. This issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse. Version 11.5.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T17:26:51.803Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/directus/directus/security/advisories/GHSA-fm3h-p9wm-h74h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-fm3h-p9wm-h74h"
}
],
"source": {
"advisory": "GHSA-fm3h-p9wm-h74h",
"discovery": "UNKNOWN"
},
"title": "Directus\u0027s webhook trigger flows can leak sensitive data"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30353",
"datePublished": "2025-03-26T17:26:51.803Z",
"dateReserved": "2025-03-21T14:12:06.270Z",
"dateUpdated": "2025-03-26T17:44:22.290Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}