CVE-2025-53889

{"id": "CVE-2025-53889", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2025-07-15T00:15:23.997", "references": [{"url": "https://github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb083fb", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/directus/directus/releases/tag/v11.9.0", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/directus/directus/security/advisories/GHSA-7cvf-pxgp-42fc", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what the Flow is set up to do this can lead to the Flow executing potential tasks on the attacker's behalf without authenticating. Bad actors could execute the manual trigger Flows without authentication, or access rights to the said collection(s) or item(s). Users with manual trigger Flows configured are impacted as these endpoints do not currently validate if the user has read access to `directus_flows` or to the relevant collection/items. The manual trigger Flows should have tighter security requirements as compared to webhook Flows where users are expected to perform do their own checks. Version 11.9.0 fixes the issue. As a workaround, implement permission checks for read access to Flows and read access to relevant collection/items."}, {"lang": "es", "value": "Directus es una API en tiempo real y un panel de control de aplicaciones para gestionar el contenido de bases de datos SQL. A partir de la versi\u00f3n 9.12.0 y anteriores a la 11.9.0, los flujos de Directus con un disparador manual no validan si el usuario que los activa tiene permisos sobre los elementos proporcionados como payload. Dependiendo de la configuraci\u00f3n del flujo, esto puede provocar que ejecute tareas en nombre del atacante sin autenticarse. Los atacantes podr\u00edan ejecutar los flujos de activaci\u00f3n manual sin autenticaci\u00f3n ni derechos de acceso a dichas colecciones o elementos. Los usuarios con flujos de activaci\u00f3n manual configurados se ven afectados, ya que estos endpoints no validan actualmente si el usuario tiene acceso de lectura a `directus_flows` o a la colecci\u00f3n o los elementos relevantes. Los flujos de activaci\u00f3n manual deber\u00edan tener requisitos de seguridad m\u00e1s estrictos que los flujos de webhook, donde se espera que los usuarios realicen sus propias comprobaciones. La versi\u00f3n 11.9.0 soluciona el problema. Como soluci\u00f3n alternativa, implemente comprobaciones de permisos para el acceso de lectura a los flujos y el acceso de lectura a la colecci\u00f3n o los elementos relevantes."}], "lastModified": "2025-07-16T14:20:25.787", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "867FB238-39A1-43B8-8ADE-39C1E0CDC390", "versionEndExcluding": "11.9.0", "versionStartIncluding": "9.12.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}