CVE-2025-53886
BaseFortify
Publication date: 2025-07-15
Last updated on: 2025-07-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| monospace | directus | From 9.0.0 (inc) to 11.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-212 | The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-532 | The product writes sensitive information to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-53886 is a vulnerability in Directus versions from 9.0.0 up to but not including 11.9.0, where when using Directus Flows with the WebHook trigger, all incoming request details are logged including sensitive security data such as access and refresh tokens in cookies. This means that malicious administrators who have access to these logs can hijack user sessions within the token expiration time. The issue is related to exposure of sensitive information through logs and was fixed in version 11.9.0. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing malicious administrators with access to the logs to hijack user sessions by stealing access and refresh tokens logged in the Flow logs. This can lead to unauthorized access to user accounts and potentially sensitive data during the token validity period. The attack requires administrative privileges and user interaction but can be exploited remotely with low complexity. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the logs generated by Directus Flows when using the WebHook trigger. Specifically, look for logs that contain incoming request details including sensitive security data such as access and refresh tokens in cookies. Since the vulnerability involves exposure of sensitive tokens in logs, you can search log files for patterns matching access or refresh tokens or cookie headers. For example, on a system where Directus logs are stored, you might use commands like: 1) grep -i 'cookie' /path/to/directus/logs/* 2) grep -E 'access_token|refresh_token' /path/to/directus/logs/* These commands help identify if sensitive tokens are being logged. Additionally, monitoring for unexpected access or suspicious activity by administrators with log access could indicate exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Directus to version 11.9.0 or later, where the issue is fixed. This update restricts manual flow executions to users with appropriate permissions and improves redaction in Flow logs to prevent sensitive token exposure. Until the upgrade is applied, restrict administrative access to logs to trusted personnel only, and consider rotating any potentially exposed access and refresh tokens to invalidate compromised sessions. Additionally, review and tighten permissions related to Flow triggers and manual executions to minimize risk. [1, 2, 3]