CVE-2025-27089
📋 TL;DR
This vulnerability in Directus allows users with overlapping update permissions to modify fields they shouldn't have access to. When multiple policies grant access to different fields under different conditions, the system incorrectly allows updating the union of all permitted fields across all policies. This affects all Directus installations with overlapping user permissions.
💻 Affected Systems
- Directus
📦 What is this software?
Directus by Monospace
⚠️ Risk & Real-World Impact
Worst Case
Attackers could modify sensitive fields like passwords, potentially gaining unauthorized access to user accounts or escalating privileges.
Likely Case
Users with overlapping permissions unintentionally gain access to additional fields, potentially modifying data they shouldn't be able to edit.
If Mitigated
With proper field-level access controls and minimal permission overlap, impact is limited to minor data integrity issues.
🎯 Exploit Status
Exploitation requires authenticated users with specific overlapping permission configurations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v11.1.2
Vendor Advisory: https://github.com/directus/directus/security/advisories/GHSA-99vm-5v2h-h6r6
Restart Required: Yes
Instructions:
1. Backup your Directus instance and database. 2. Update Directus to version 11.1.2 or later using your package manager. 3. Restart the Directus service. 4. Verify the update was successful.
🔧 Temporary Workarounds
No workarounds available
allThe vendor states there are no known workarounds for this vulnerability.
🧯 If You Can't Patch
- Review and minimize overlapping permissions in your Directus configuration
- Implement additional application-level validation for sensitive field updates
🔍 How to Verify
Check if Vulnerable:
Check your Directus version. If it's below 11.1.2 and you have overlapping update permissions configured, you are vulnerable.Check Version:
Check Directus admin panel or run: node -e "console.log(require('./package.json').version)" in your Directus installation directoryVerify Fix Applied:
After updating to 11.1.2 or later, test that users with overlapping permissions can only update fields they should have access to per individual policy.📡 Detection & Monitoring
Log Indicators:
- Unusual update operations where users modify fields outside their normal permission scope
- Multiple update attempts on fields that should be restricted
Network Indicators:
- Increased API calls to update endpoints from users with overlapping permissions
SIEM Query:
source="directus" AND (event="update" OR operation="UPDATE") AND user.permissions="overlapping"