GHSA-7CVF-PXGP-42FC
Vulnerability from github – Published: 2025-07-15 15:36 – Updated: 2025-07-15 15:37Summary
Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what the Flow is set up to do this can lead to the Flow executing potential tasks on the attacker's behalf without authenticating.
Impact
Bad actors could execute the manual trigger Flows without authentication, or access rights to the said collection(s) or item(s).
Users with manual trigger Flows configured are impacted as these endpoints do not currently validate if the user has read access to directus_flows or to the relevant collection/items. The manual trigger Flows should have tighter security requirements as compared to webhook Flows where users are expected to perform do their own checks.
Workarounds
Users have to implement permission checks for read access to Flows and read access to relevant collection/items.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "directus"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53889"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-15T15:36:59Z",
"nvd_published_at": "2025-07-15T00:15:23Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nDirectus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what the Flow is set up to do this can lead to the Flow executing potential tasks on the attacker\u0027s behalf without authenticating.\n\n### Impact\n\nBad actors could execute the manual trigger Flows without authentication, or access rights to the said collection(s) or item(s).\n\nUsers with manual trigger Flows configured are impacted as these endpoints do not currently validate if the user has read access to `directus_flows` or to the relevant collection/items. The manual trigger Flows should have tighter security requirements as compared to webhook Flows where users are expected to perform do their own checks.\n\n### Workarounds\nUsers have to implement permission checks for read access to Flows and read access to relevant collection/items.",
"id": "GHSA-7cvf-pxgp-42fc",
"modified": "2025-07-15T15:37:00Z",
"published": "2025-07-15T15:36:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/directus/directus/security/advisories/GHSA-7cvf-pxgp-42fc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53889"
},
{
"type": "WEB",
"url": "https://github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb083fb"
},
{
"type": "PACKAGE",
"url": "https://github.com/directus/directus"
},
{
"type": "WEB",
"url": "https://github.com/directus/directus/releases/tag/v11.9.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Directus\u0027 insufficient permission checks can enable unauthenticated users to manually trigger Flows"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.