CVE-2025-53889
BaseFortify
Publication date: 2025-07-15
Last updated on: 2025-07-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| monospace | directus | From 9.12.0 (inc) to 11.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Directus affects manual trigger Flows in versions from 9.12.0 up to but not including 11.9.0. These manual trigger Flows do not check whether the user triggering them has the necessary permissions to access the items included in the Flow's payload. As a result, attackers can execute these Flows without authentication or proper authorization, potentially causing the Flow to perform actions on the attacker's behalf. This happens because the endpoints do not validate if the user has read access to the flows or the relevant collections/items. The issue is fixed in version 11.9.0. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute manual trigger Flows without authentication or proper permissions, potentially leading to unauthorized actions being performed on your database collections or items. This could result in limited data exposure or modification since the attacker can trigger flows that manipulate data without having the required access rights. However, it does not cause denial of service. Users who have manual trigger Flows configured are particularly impacted. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Directus instance is running a version between 9.12.0 and prior to 11.9.0 and if manual trigger Flows are configured. Since the vulnerability involves unauthorized execution of manual trigger Flows without authentication or permission checks, you can monitor network traffic for unauthenticated requests to manual trigger Flow endpoints. Additionally, inspecting logs for manual trigger Flow executions without corresponding authenticated user sessions may indicate exploitation attempts. Specific commands depend on your environment, but for example, you can use network monitoring tools like tcpdump or Wireshark to filter HTTP requests to the Directus API endpoints related to Flows. Example command to capture HTTP POST requests to manual trigger endpoints (adjust URL/path accordingly): tcpdump -i any -A 'tcp port 80 or 443' | grep 'POST /flows/manual-trigger'. Also, review Directus server logs for unauthorized manual trigger Flow executions. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Directus to version 11.9.0 or later, where the vulnerability is fixed. If upgrading is not immediately possible, implement manual permission checks to ensure users triggering manual Flows have read access to the directus_flows and relevant collections/items. Restrict access to manual trigger Flow endpoints to authenticated users only. Review and disable any unnecessary manual trigger Flows to reduce attack surface. Applying these mitigations will prevent unauthorized users from executing manual trigger Flows without proper permissions. [1]