CVE-2025-53889

MEDIUM EPSS 31.3%
Published Jul 15, 202511mo ago · Modified Jun 17, 20261w ago
6.5 CVSS 3.1
Medium
Find Similar
Published Jul 15, 2025 11mo ago
Last Modified Jun 17, 2026 1w ago

Description

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what the Flow is set up to do this can lead to the Flow executing potential tasks on the attacker's behalf without authenticating. Bad actors could execute the manual trigger Flows without authentication, or access rights to the said collection(s) or item(s). Users with manual trigger Flows configured are impacted as these endpoints do not currently validate if the user has read access to `directus_flows` or to the relevant collection/items. The manual trigger Flows should have tighter security requirements as compared to webhook Flows where users are expected to perform do their own checks. Version 11.9.0 fixes the issue. As a workaround, implement permission checks for read access to Flows and read access to relevant collection/items.

CVSS Details

Base Score
6.5
Exploitability
3.9
Impact
2.5
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
31.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-287 Improper Authentication Authentication

Affected Products 1

VendorProductVersionRange
monospacedirectus*≥9.12.0  –  <11.9.0

References 3

  • github.com https://github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb083fb
    Patch
  • github.com https://github.com/directus/directus/releases/tag/v11.9.0
    Release Notes
  • github.com https://github.com/directus/directus/security/advisories/GHSA-7cvf-pxgp-42fc
    Third Party Advisory

Remediation

  • github.com https://github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb083fb
    Patch