CVE-2025-30353 – directus

Package

Manager: npm
Name: directus
Vulnerable Version: >=9.12.0 <11.5.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

EPSS: 0.00057 pctl0.17685

Details

Directus's webhook trigger flows can leak sensitive data ### Describe the Bug In Directus, when a **Flow** with the "_Webhook_" trigger and the "_Data of Last Operation_" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data. This issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse.    ### To Reproduce **Steps to Reproduce:** 1. Create a Flow in Directus with: - Trigger: Webhook - Response Body: Data of Last Operation 2. Add a condition that is likely to fail. 3. Trigger the Flow with any input data that will fail the condition. 4. Observe the API response, which includes sensitive information like: - Environmental variables (`$env`) - Authorization headers - User details under `$accountability` - Previous operational data. **Expected Behavior:** In the event of a ValidationError, the API response should only contain relevant error messages and details, avoiding the exposure of sensitive data. **Actual Behavior:** The API response includes sensitive information such as: - Environment keys (`FLOWS_ENV_ALLOW_LIST`) - User accountability (`role`, `user`, etc.) - Operational logs (`current_payments`, `$last`), which might contain private details.

Metadata

Created: 2025-03-26T20:08:58Z
Modified: 2025-03-26T20:08:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-fm3h-p9wm-h74h/GHSA-fm3h-p9wm-h74h.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-fm3h-p9wm-h74h
Finding: F017
Auto approve: 1