CVE-2025-55746
BaseFortify
Publication date: 2025-08-20
Last updated on: 2025-08-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| directus | directus | 10.8.0 |
| directus | directus | 11.9.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Upgrade Directus to version 11.9.3 or later, as this version contains the fix for the vulnerability allowing unauthenticated file modification and upload.
Can you explain this vulnerability to me?
This vulnerability in Directus versions from 10.8.0 to before 11.9.3 allows an unauthenticated attacker to modify existing files with arbitrary content or upload new files with arbitrary content and extensions. These changes do not update the files' metadata in the database and the uploaded files may not appear in the Directus user interface. The issue is related to the file update mechanism and is fixed in version 11.9.3.
How can this vulnerability impact me? :
An attacker can exploit this vulnerability to inject or modify files on the system without authentication, potentially leading to arbitrary code execution or persistent malicious content. Since the files may not appear in the UI, this can be used to hide malicious files, impacting the integrity of the system and possibly leading to further compromise or denial of service.