CVE-2025-64747
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in Directus allows authenticated users with file upload and edit permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy restrictions by combining file uploads with iframe srcdoc attributes, leading to persistent XSS execution. This affects Directus instances running versions prior to 11.13.0.
💻 Affected Systems
- Directus
📦 What is this software?
Directus by Monospace
⚠️ Risk & Real-World Impact
Worst Case
Attackers with valid credentials could inject persistent malicious scripts that steal session cookies, redirect users to phishing sites, or perform actions on behalf of authenticated users, potentially leading to full account compromise and data exfiltration.
Likely Case
Authenticated malicious users could inject scripts that affect other users viewing the compromised content, potentially stealing their session tokens or performing unauthorized actions within their permissions.
If Mitigated
With proper user permission controls and monitoring, the impact is limited to authenticated users with specific permissions, reducing the attack surface to trusted insiders or compromised accounts.
🎯 Exploit Status
Exploitation requires authenticated access with specific permissions and knowledge of the Block Editor interface. The vulnerability bypasses CSP through file upload and iframe srcdoc combination.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.13.0
Vendor Advisory: https://github.com/directus/directus/security/advisories/GHSA-vv2v-pw69-8crf
Restart Required: Yes
Instructions:
1. Backup your Directus instance and database. 2. Update Directus to version 11.13.0 or later using your package manager (npm update directus). 3. Restart the Directus service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict User Permissions
allTemporarily remove 'upload files' and 'edit item' permissions from users who don't absolutely need them, especially for the Block Editor interface.
Disable Block Editor
allIf not required, disable the Block Editor interface in affected collections to prevent exploitation.
🧯 If You Can't Patch
- Implement strict Content Security Policy headers that block inline scripts and restrict iframe sources
- Enable detailed logging for file uploads and content edits to detect suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check your Directus version. If it's below 11.13.0 and you have users with both 'upload files' and 'edit item' permissions, you are vulnerable.Check Version:
npm list directus | grep directusVerify Fix Applied:
After updating to 11.13.0 or later, verify the version and test that the Block Editor properly sanitizes content and prevents script injection through file uploads.📡 Detection & Monitoring
Log Indicators:
- Unusual file upload patterns combined with content edits
- Multiple iframe srcdoc attribute modifications in short timeframes
- User accounts with both upload and edit permissions making suspicious changes
Network Indicators:
- Unexpected JavaScript execution from uploaded files
- Iframes loading content from unexpected sources
SIEM Query:
source="directus" AND (event="file_upload" OR event="content_edit") | stats count by user, event