CVE-2025-53889 – directus

Package

Manager: npm
Name: directus
Vulnerable Version: >=0 <11.9.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00079 pctl0.24276

Details

Directus' insufficient permission checks can enable unauthenticated users to manually trigger Flows ### Summary Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what the Flow is set up to do this can lead to the Flow executing potential tasks on the attacker's behalf without authenticating. ### Impact Bad actors could execute the manual trigger Flows without authentication, or access rights to the said collection(s) or item(s). Users with manual trigger Flows configured are impacted as these endpoints do not currently validate if the user has read access to `directus_flows` or to the relevant collection/items. The manual trigger Flows should have tighter security requirements as compared to webhook Flows where users are expected to perform do their own checks. ### Workarounds Users have to implement permission checks for read access to Flows and read access to relevant collection/items.

Metadata

Created: 2025-07-15T15:36:59Z
Modified: 2025-07-15T15:37:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-7cvf-pxgp-42fc/GHSA-7cvf-pxgp-42fc.json
CWE IDs: ["CWE-285", "CWE-287"]
Alternative ID: GHSA-7cvf-pxgp-42fc
Finding: F039
Auto approve: 1