CVE-2025-53886 – This vulnerability in Directus logs sensitive a... (How to Fix)

Q: What is the severity of CVE-2025-53886?

CVE-2025-53886 has a CVSS score of 4.5 (MEDIUM). This vulnerability in Directus logs sensitive authentication tokens when using WebHook triggers in Flows, exposing access and refresh tokens in system logs. Malicious administrators with log access can hijack user sessions within token expiration periods. Affects Directus versions 9.0.0 through 11.8.9.

📋 TL;DR

This vulnerability in Directus logs sensitive authentication tokens when using WebHook triggers in Flows, exposing access and refresh tokens in system logs. Malicious administrators with log access can hijack user sessions within token expiration periods. Affects Directus versions 9.0.0 through 11.8.9.

💻 Affected Systems

Products:

Directus

Versions: 9.0.0 through 11.8.9

Operating Systems: all

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using Directus Flows with WebHook triggers. The vulnerability exists in default logging behavior for these triggers.

📦 What is this software?

Directus by Monospace

View all CVEs affecting Directus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious admin steals access/refresh tokens from logs, hijacks user sessions, performs unauthorized actions as legitimate users, and potentially escalates privileges or exfiltrates sensitive data.

🟠

Likely Case

Privileged insider or compromised admin account accesses logs containing tokens, hijacks sessions of users who triggered WebHook flows, and performs unauthorized operations within those sessions.

🟢

If Mitigated

With proper access controls and log monitoring, impact is limited to authorized administrators who already have significant system access.

🌐 Internet-Facing: LOW - Exploitation requires administrative access to logs, not directly exploitable from internet-facing interfaces.

🏢 Internal Only: MEDIUM - Requires malicious or compromised administrator account with log access, but impact is significant within the organization.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrative access to view system logs where tokens are recorded. No special tools or techniques needed beyond log access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.9.0

Vendor Advisory: https://github.com/directus/directus/security/advisories/GHSA-f24x-rm6g-3w5v

Restart Required: Yes

Instructions:

1. Backup your Directus instance and database. 2. Update Directus to version 11.9.0 or later using your package manager (npm/yarn/pnpm). 3. Restart the Directus service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable WebHook Flow Logging

all

Disable logging for WebHook triggers in Flows configuration to prevent token exposure

Modify Directus configuration to disable detailed logging for WebHook triggers

Restrict Log Access

linux

Implement strict access controls on log files and monitoring systems

chmod 640 /path/to/directus/logs/*
setfacl -m u:directus:r /path/to/directus/logs/

🧯 If You Can't Patch

Implement strict role-based access control to limit who can view system logs
Enable detailed audit logging for log access attempts and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check Directus version: if between 9.0.0 and 11.8.9 inclusive, and using WebHook triggers in Flows, system is vulnerable.

Check Version:

npx directus version or check package.json for Directus version

Verify Fix Applied:

After updating to 11.9.0+, verify that WebHook trigger requests no longer log authentication tokens in system logs.

📡 Detection & Monitoring

Log Indicators:

Log entries containing 'access_token', 'refresh_token', or full cookie headers from WebHook trigger requests
Administrative access to log files outside normal patterns

Network Indicators:

Unusual session activity from administrative IP addresses
Multiple session creations from single user in short timeframe

SIEM Query:

source="directus_logs" AND ("access_token" OR "refresh_token" OR "cookie:") AND "webhook"

📊 Metadata

CVE ID: CVE-2025-53886

CVSS v3 Score: 4.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-200

EPSS Score: 0.05% exploit probability (14.5th percentile)

Published: July 15, 2025

Last Updated: July 16, 2025

🔗 References

https://github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb083fb Patch
https://github.com/directus/directus/pull/25354 Patch
https://github.com/directus/directus/releases/tag/v11.9.0 Release Notes
https://github.com/directus/directus/security/advisories/GHSA-f24x-rm6g-3w5v Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-53886, you might also want to check these: