CVE-2025-53886

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming request details are logged including security sensitive data like access and refresh tokens in cookies. Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them triggering the Flow. Version 11.9.0 fixes the issue.

CVSS v3 4.5 MEDIUM

4.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb083fb	Patch
https://github.com/directus/directus/pull/25354	Patch
https://github.com/directus/directus/releases/tag/v11.9.0	Release Notes
https://github.com/directus/directus/security/advisories/GHSA-f24x-rm6g-3w5v	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*

History

16 Jul 2025, 14:19

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-15 00:15

Updated : 2025-07-16 14:19

NVD link : CVE-2025-53886

Mitre link : CVE-2025-53886

CVE.ORG link : CVE-2025-53886

JSON object : View

Products Affected

monospace

directus

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-212

Improper Removal of Sensitive Information Before Storage or Transfer

CWE-532

Insertion of Sensitive Information into Log File

{"id": "CVE-2025-53886", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 0.9}]}, "published": "2025-07-15T00:15:23.690", "references": [{"url": "https://github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb083fb", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/directus/directus/pull/25354", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/directus/directus/releases/tag/v11.9.0", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/directus/directus/security/advisories/GHSA-f24x-rm6g-3w5v", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-212"}, {"lang": "en", "value": "CWE-532"}]}], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming request details are logged including security sensitive data like access and refresh tokens in cookies. Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them triggering the Flow. Version 11.9.0 fixes the issue."}, {"lang": "es", "value": "Directus es una API en tiempo real y un panel de control de aplicaciones para gestionar el contenido de bases de datos SQL. A partir de la versi\u00f3n 9.0.0 y anteriores a la 11.9.0, al usar flujos de Directus con el disparador de webhook, se registran todos los detalles de las solicitudes entrantes, incluyendo datos confidenciales como los tokens de acceso y actualizaci\u00f3n en las cookies. Administradores malintencionados con acceso a los registros pueden secuestrar las sesiones de usuario antes de que caduque el token al activar el flujo. La versi\u00f3n 11.9.0 soluciona este problema."}], "lastModified": "2025-07-16T14:19:03.560", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "F31E6F8B-BDA5-440E-AD39-A3EC8795C7E1", "versionEndExcluding": "11.9.0", "versionStartIncluding": "9.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}