CVE-2025-30353 (GCVE-0-2025-30353)
Vulnerability from cvelistv5 – Published: 2025-03-26 17:26 – Updated: 2025-03-26 17:44
VLAI?
Summary
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data. This issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse. Version 11.5.0 fixes the issue.
Severity ?
8.6 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30353",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T17:43:59.404279Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T17:44:22.290Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-fm3h-p9wm-h74h"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "directus",
"vendor": "directus",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.12.0, \u003c 11.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the \"Webhook\" trigger and the \"Data of Last Operation\" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data. This issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse. Version 11.5.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T17:26:51.803Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/directus/directus/security/advisories/GHSA-fm3h-p9wm-h74h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-fm3h-p9wm-h74h"
}
],
"source": {
"advisory": "GHSA-fm3h-p9wm-h74h",
"discovery": "UNKNOWN"
},
"title": "Directus\u0027s webhook trigger flows can leak sensitive data"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30353",
"datePublished": "2025-03-26T17:26:51.803Z",
"dateReserved": "2025-03-21T14:12:06.270Z",
"dateUpdated": "2025-03-26T17:44:22.290Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-30353\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-03-26T18:15:27.327\",\"lastModified\":\"2025-08-26T01:47:43.713\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the \\\"Webhook\\\" trigger and the \\\"Data of Last Operation\\\" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data. This issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse. Version 11.5.0 fixes the issue.\"},{\"lang\":\"es\",\"value\":\"Directus es un panel de control de API y aplicaciones en tiempo real para gestionar el contenido de bases de datos SQL. A partir de la versi\u00f3n 9.12.0 y anteriores a la 11.5.0, cuando un flujo con el disparador \\\"Webhook\\\" y el cuerpo de respuesta \\\"Datos de la \u00faltima operaci\u00f3n\\\" encuentra un error de validaci\u00f3n generado por una operaci\u00f3n condicional fallida, la respuesta de la API incluye datos confidenciales. Estos incluyen variables de entorno, claves de API confidenciales, informaci\u00f3n de responsabilidad del usuario y datos operativos. Este problema supone un riesgo de seguridad significativo, ya que cualquier exposici\u00f3n involuntaria de estos datos podr\u00eda dar lugar a un posible uso indebido. La versi\u00f3n 11.5.0 soluciona el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"9.12.0\",\"versionEndExcluding\":\"11.5.0\",\"matchCriteriaId\":\"F6E0D59B-7EE8-4275-BE4F-10D92F7D51EC\"}]}]}],\"references\":[{\"url\":\"https://github.com/directus/directus/security/advisories/GHSA-fm3h-p9wm-h74h\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/directus/directus/security/advisories/GHSA-fm3h-p9wm-h74h\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-30353\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-26T17:43:59.404279Z\"}}}], \"references\": [{\"url\": \"https://github.com/directus/directus/security/advisories/GHSA-fm3h-p9wm-h74h\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-26T17:44:13.597Z\"}}], \"cna\": {\"title\": \"Directus\u0027s webhook trigger flows can leak sensitive data\", \"source\": {\"advisory\": \"GHSA-fm3h-p9wm-h74h\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"directus\", \"product\": \"directus\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 9.12.0, \u003c 11.5.0\"}]}], \"references\": [{\"url\": \"https://github.com/directus/directus/security/advisories/GHSA-fm3h-p9wm-h74h\", \"name\": \"https://github.com/directus/directus/security/advisories/GHSA-fm3h-p9wm-h74h\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the \\\"Webhook\\\" trigger and the \\\"Data of Last Operation\\\" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data. This issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse. Version 11.5.0 fixes the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-03-26T17:26:51.803Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-30353\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-26T17:44:22.290Z\", \"dateReserved\": \"2025-03-21T14:12:06.270Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-03-26T17:26:51.803Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
GHSA-FM3H-P9WM-H74H
Vulnerability from github – Published: 2025-03-26 20:08 – Updated: 2025-03-26 20:08
VLAI?
Summary
Directus's webhook trigger flows can leak sensitive data
Details
Describe the Bug
In Directus, when a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data.
This issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse.
To Reproduce
Steps to Reproduce:
1. Create a Flow in Directus with:
- Trigger: Webhook
- Response Body: Data of Last Operation
2. Add a condition that is likely to fail.
3. Trigger the Flow with any input data that will fail the condition.
4. Observe the API response, which includes sensitive information like:
- Environmental variables ($env)
- Authorization headers
- User details under $accountability
- Previous operational data.
Expected Behavior: In the event of a ValidationError, the API response should only contain relevant error messages and details, avoiding the exposure of sensitive data.
Actual Behavior:
The API response includes sensitive information such as:
- Environment keys (FLOWS_ENV_ALLOW_LIST)
- User accountability (role, user, etc.)
- Operational logs (current_payments, $last), which might contain private details.
Severity ?
8.6 (High)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "directus"
},
"ranges": [
{
"events": [
{
"introduced": "9.12.0"
},
{
"fixed": "11.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-30353"
],
"database_specific": {
"cwe_ids": [
"CWE-200"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-26T20:08:58Z",
"nvd_published_at": "2025-03-26T18:15:27Z",
"severity": "HIGH"
},
"details": "### Describe the Bug\n\n In Directus, when a **Flow** with the \"_Webhook_\" trigger and the \"_Data of Last Operation_\" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data.\n\nThis issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse.\n\n\n\n\n\n\n### To Reproduce\n\n**Steps to Reproduce:**\n1. Create a Flow in Directus with:\n - Trigger: Webhook\n - Response Body: Data of Last Operation\n2. Add a condition that is likely to fail.\n3. Trigger the Flow with any input data that will fail the condition.\n4. Observe the API response, which includes sensitive information like:\n - Environmental variables (`$env`)\n - Authorization headers\n - User details under `$accountability`\n - Previous operational data.\n\n**Expected Behavior:**\nIn the event of a ValidationError, the API response should only contain relevant error messages and details, avoiding the exposure of sensitive data.\n\n**Actual Behavior:**\nThe API response includes sensitive information such as:\n- Environment keys (`FLOWS_ENV_ALLOW_LIST`)\n- User accountability (`role`, `user`, etc.)\n- Operational logs (`current_payments`, `$last`), which might contain private details.",
"id": "GHSA-fm3h-p9wm-h74h",
"modified": "2025-03-26T20:08:58Z",
"published": "2025-03-26T20:08:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/directus/directus/security/advisories/GHSA-fm3h-p9wm-h74h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30353"
},
{
"type": "PACKAGE",
"url": "https://github.com/directus/directus"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Directus\u0027s webhook trigger flows can leak sensitive data"
}
FKIE_CVE-2025-30353
Vulnerability from fkie_nvd - Published: 2025-03-26 18:15 - Updated: 2025-08-26 01:47
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data. This issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse. Version 11.5.0 fixes the issue.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/directus/directus/security/advisories/GHSA-fm3h-p9wm-h74h | Exploit, Third Party Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/directus/directus/security/advisories/GHSA-fm3h-p9wm-h74h | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "F6E0D59B-7EE8-4275-BE4F-10D92F7D51EC",
"versionEndExcluding": "11.5.0",
"versionStartIncluding": "9.12.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the \"Webhook\" trigger and the \"Data of Last Operation\" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data. This issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse. Version 11.5.0 fixes the issue."
},
{
"lang": "es",
"value": "Directus es un panel de control de API y aplicaciones en tiempo real para gestionar el contenido de bases de datos SQL. A partir de la versi\u00f3n 9.12.0 y anteriores a la 11.5.0, cuando un flujo con el disparador \"Webhook\" y el cuerpo de respuesta \"Datos de la \u00faltima operaci\u00f3n\" encuentra un error de validaci\u00f3n generado por una operaci\u00f3n condicional fallida, la respuesta de la API incluye datos confidenciales. Estos incluyen variables de entorno, claves de API confidenciales, informaci\u00f3n de responsabilidad del usuario y datos operativos. Este problema supone un riesgo de seguridad significativo, ya que cualquier exposici\u00f3n involuntaria de estos datos podr\u00eda dar lugar a un posible uso indebido. La versi\u00f3n 11.5.0 soluciona el problema."
}
],
"id": "CVE-2025-30353",
"lastModified": "2025-08-26T01:47:43.713",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-03-26T18:15:27.327",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-fm3h-p9wm-h74h"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-fm3h-p9wm-h74h"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…