CVE-2025-55746
📋 TL;DR
This vulnerability allows unauthenticated attackers to modify existing files with arbitrary content or upload new files with arbitrary content and extensions in Directus. The modified files won't reflect changes in database metadata, and uploaded files won't appear in the Directus UI. All Directus instances running versions 10.8.0 through 11.9.2 are affected.
💻 Affected Systems
- Directus
📦 What is this software?
Directus by Monospace
⚠️ Risk & Real-World Impact
Worst Case
Attackers could upload malicious files (webshells, malware) or overwrite critical system files, potentially leading to complete system compromise, data destruction, or persistent backdoor installation.
Likely Case
Attackers upload malicious files to the server, potentially enabling remote code execution, data exfiltration, or website defacement through file inclusion vulnerabilities.
If Mitigated
With proper network segmentation and file integrity monitoring, impact is limited to unauthorized file modifications within the Directus file storage area.
🎯 Exploit Status
The advisory confirms unauthenticated exploitation is possible, and the vulnerability appears straightforward to exploit based on the description.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.9.3
Vendor Advisory: https://github.com/directus/directus/security/advisories/GHSA-mv33-9f6j-pfmc
Restart Required: Yes
Instructions:
1. Backup your Directus instance and database. 2. Update Directus to version 11.9.3 or later using your package manager (npm/yarn). 3. Restart the Directus service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to Directus file upload endpoints using firewall rules or web application firewall.
Authentication Enforcement
allConfigure reverse proxy or middleware to require authentication for all file-related API endpoints.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Directus from critical systems
- Deploy file integrity monitoring on Directus file storage directories
🔍 How to Verify
Check if Vulnerable:
Check Directus version via admin panel or by examining package.json file. If version is between 10.8.0 and 11.9.2 inclusive, the system is vulnerable.Check Version:
Check package.json: grep '"version"' package.json or use Directus admin interfaceVerify Fix Applied:
Verify Directus version is 11.9.3 or later. Test file upload functionality with unauthenticated requests to confirm they are properly rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual file upload activity from unauthenticated users
- File modification requests without corresponding metadata updates
- Requests to file upload endpoints from unexpected IP addresses
Network Indicators:
- HTTP POST requests to /files or similar endpoints without authentication headers
- Unusual file upload patterns or file types
SIEM Query:
source="directus" AND (uri_path="/files" OR uri_path="/assets") AND http_method="POST" AND NOT authentication_success="true"