CVE-2025-53889
📋 TL;DR
Directus versions 9.12.0 through 11.8.0 have an authentication bypass vulnerability in manual trigger Flows. Attackers can execute Flows without proper permissions, potentially performing unauthorized operations on database collections. Users with manual trigger Flows configured are affected.
💻 Affected Systems
- Directus
📦 What is this software?
Directus by Monospace
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise through unauthorized data manipulation, deletion, or privilege escalation via malicious Flow execution.
Likely Case
Unauthorized data access or modification in collections accessible through vulnerable Flows.
If Mitigated
Limited impact with proper network segmentation and minimal Flow permissions.
🎯 Exploit Status
Exploitation requires identifying manual trigger Flow endpoints and crafting appropriate payloads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.9.0
Vendor Advisory: https://github.com/directus/directus/security/advisories/GHSA-7cvf-pxgp-42fc
Restart Required: Yes
Instructions:
1. Backup your Directus instance and database. 2. Update Directus to version 11.9.0 or later. 3. Restart the Directus service. 4. Verify all manual trigger Flows still function correctly with proper authentication.
🔧 Temporary Workarounds
Implement manual permission checks
allAdd explicit permission validation in Flow configurations to check user access to directus_flows and relevant collections/items.
Disable manual trigger Flows
allTemporarily disable all manual trigger Flows until patching is complete.
🧯 If You Can't Patch
- Implement network-level access controls to restrict access to Directus Flow endpoints
- Review and audit all manual trigger Flows for sensitive operations and implement additional validation logic
🔍 How to Verify
Check if Vulnerable:
Check Directus version via admin panel or API. If version is between 9.12.0 and 11.8.0 and manual trigger Flows are configured, the instance is vulnerable.Check Version:
curl -X GET 'http://directus-host/admin/version' or check in Directus admin interfaceVerify Fix Applied:
After updating to 11.9.0+, test manual trigger Flows with unauthorized users to confirm authentication is now required.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to /flows/trigger endpoints
- Manual trigger Flow executions from unauthenticated or low-privilege users
Network Indicators:
- HTTP requests to /flows/trigger/* endpoints without proper authentication headers
SIEM Query:
source="directus" AND (uri_path="/flows/trigger" OR uri_path="/flows/trigger/*") AND (http_status=200 OR http_status=201) AND NOT (user_role="admin" OR user_role="authenticated")