CVE-2025-53886

MEDIUM EPSS 30.6%
Published Jul 15, 202511mo ago · Modified Jun 17, 20261w ago
4.5 CVSS 3.1
Medium
Find Similar
Published Jul 15, 2025 11mo ago
Last Modified Jun 17, 2026 1w ago

Description

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming request details are logged including security sensitive data like access and refresh tokens in cookies. Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them triggering the Flow. Version 11.9.0 fixes the issue.

CVSS Details

Base Score
4.5
Exploitability
0.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
30.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 3

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure
CWE-212
CWE-532

Affected Products 1

VendorProductVersionRange
monospacedirectus*≥9.0.0  –  <11.9.0

References 4

  • github.com https://github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb083fb
    Patch
  • github.com https://github.com/directus/directus/pull/25354
    Patch
  • github.com https://github.com/directus/directus/releases/tag/v11.9.0
    Release Notes
  • github.com https://github.com/directus/directus/security/advisories/GHSA-f24x-rm6g-3w5v
    Third Party Advisory

Remediation

  • github.com https://github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb083fb
    Patch
  • github.com https://github.com/directus/directus/pull/25354
    Patch