CVE-2025-53885
BaseFortify
Publication date: 2025-07-15
Last updated on: 2025-07-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| monospace | directus | From 9.0.0 (inc) to 11.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-532 | The product writes sensitive information to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-53885 is a vulnerability in the Directus platform's Flows feature, specifically in the "Log to Console" operation used to handle CRUD events for users. In versions from 9.0.0 up to but not including 11.9.0, malicious administrators with high privileges could log sensitive data from other users when those users are created or updated. This happens because sensitive user data is not properly redacted before being logged to the console, potentially exposing confidential information such as passwords, tokens, and authorization headers. The issue was fixed in version 11.9.0 by adding a redaction process that masks sensitive keys before logging. [2, 1, 3]
How can this vulnerability impact me? :
This vulnerability can lead to exposure of sensitive user information through console logs if a malicious administrator exploits the "Log to Console" operation in Directus Flows. Since sensitive data like passwords, tokens, and authorization headers can be logged in plaintext, it increases the risk of unauthorized access to confidential information. This could compromise user privacy and security, especially if logs are accessible to unauthorized parties or stored insecurely. The impact is limited to administrators with high privileges and requires user interaction. [2, 1, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can negatively affect compliance with data protection standards and regulations such as GDPR and HIPAA because it involves the exposure of sensitive personal data through unredacted logging. Improper handling and exposure of sensitive user information in logs can lead to violations of confidentiality and data protection requirements mandated by these regulations. Organizations using affected versions of Directus may risk non-compliance if sensitive data is logged and exposed without adequate safeguards. [2, 1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by reviewing console logs generated by Directus Flows, specifically looking for sensitive user data being logged in plaintext during CRUD events for users. Since the issue involves the "Log to Console" operation logging sensitive data without redaction, you can search your logs for sensitive keys such as authorization headers, cookies, access tokens, passwords, tokens, two-factor authentication secrets, external identifiers, and authentication data. For example, you can use commands like `grep -i 'authorization' /path/to/directus/logs` or `grep -E 'password|token|access_token|tfa_secret' /path/to/directus/logs` to identify exposed sensitive information in logs. Monitoring logs for unexpected sensitive data exposure can help detect this vulnerability. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, avoid using the "Log to Console" operation in Directus Flows to log sensitive data outside of development environments. Restrict logging of sensitive user information until you can upgrade to Directus version 11.9.0 or later, which contains the fix that redacts sensitive data in logs. Additionally, review and limit administrator privileges to reduce the risk of malicious admins exploiting this logging behavior. Applying the patch from version 11.9.0 as soon as possible is the recommended long-term solution. [2, 1]