logo_clicknbuy.png

CVE-2025-53889 – Directus Unauthenticated Flow Trigger Vulnerability

The following table lists the changes that have been made to the
CVE-2025-53889 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution
of a vulnerability, and for identifying the most recent changes that may
impact the vulnerability’s severity, exploitability, or other characteristics.

  • New CVE Received
    by [email protected]

    Jul. 15, 2025

    Action Type Old Value New Value
    Added Description Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what the Flow is set up to do this can lead to the Flow executing potential tasks on the attacker’s behalf without authenticating. Bad actors could execute the manual trigger Flows without authentication, or access rights to the said collection(s) or item(s). Users with manual trigger Flows configured are impacted as these endpoints do not currently validate if the user has read access to `directus_flows` or to the relevant collection/items. The manual trigger Flows should have tighter security requirements as compared to webhook Flows where users are expected to perform do their own checks. Version 11.9.0 fixes the issue. As a workaround, implement permission checks for read access to Flows and read access to relevant collection/items.
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
    Added CWE CWE-287
    Added Reference https://github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb083fb
    Added Reference https://github.com/directus/directus/releases/tag/v11.9.0
    Added Reference https://github.com/directus/directus/security/advisories/GHSA-7cvf-pxgp-42fc
Share the Post:

Related Posts