CVE-2025-53887

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-53887
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, the exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the `/server/specs/oas` endpoint without authentication. With the exact version information a malicious attacker can look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version. Version 11.9.0 fixes the issue.

5.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/directus/directus/commit/e74f3e4e92edc33b5f83eefb001a3d2a85af17a3 Patch
https://github.com/directus/directus/pull/25353 Patch
https://github.com/directus/directus/releases/tag/v11.9.0 Release Notes
https://github.com/directus/directus/security/advisories/GHSA-rmjh-cf9q-pv7q Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*
History

16 Jul 2025, 14:19

Type Values Removed Values Added
First Time Monospace directus
Monospace
CPE cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*
References () https://github.com/directus/directus/commit/e74f3e4e92edc33b5f83eefb001a3d2a85af17a3 - () https://github.com/directus/directus/commit/e74f3e4e92edc33b5f83eefb001a3d2a85af17a3 - Patch
References () https://github.com/directus/directus/pull/25353 - () https://github.com/directus/directus/pull/25353 - Patch
References () https://github.com/directus/directus/releases/tag/v11.9.0 - () https://github.com/directus/directus/releases/tag/v11.9.0 - Release Notes
References () https://github.com/directus/directus/security/advisories/GHSA-rmjh-cf9q-pv7q - () https://github.com/directus/directus/security/advisories/GHSA-rmjh-cf9q-pv7q - Third Party Advisory

15 Jul 2025, 13:14

Type Values Removed Values Added
Summary
  • (es) Directus es una API en tiempo real y un panel de control de aplicaciones para gestionar el contenido de bases de datos SQL. A partir de la versión 9.0.0 y anteriores a la 11.9.0, el número de versión exacto de Directus se utiliza incorrectamente como versión de OpenAPI Spec, lo que significa que el endpoint `/server/specs/oas` lo expone sin autenticación. Con la información exacta de la versión, un atacante malicioso puede buscar vulnerabilidades conocidas en el núcleo de Directus o en cualquiera de sus dependencias incluidas en esa versión específica. La versión 11.9.0 soluciona este problema.

15 Jul 2025, 00:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-07-15 00:15

Updated : 2025-07-16 14:19

NVD link : CVE-2025-53887

Mitre link : CVE-2025-53887

CVE.ORG link : CVE-2025-53887

JSON object : View

Products Affected

monospace

  • directus
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor