CVE-2025-55746

Published Aug 20, 2025

Last updated 2 months ago

CVSS critical 9.3
Directus

Overview

Description
Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files' database-resident metadata) and / or upload new files, with arbitrary content and extensions, which won't show up in the Directus UI. This vulnerability is fixed in 11.9.3.
Source
security-advisories@github.com
NVD status
Analyzed
Products
directus

Risk scores

CVSS 3.1

Type
Primary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-73

Social media

Hype score
Not currently trending

  1. ⚠️⚠️ CVE-2025-55746: Critical Directus Flaw Exposes Servers to Unauthenticated File Upload and RCE 🎯73k+ Results are found on the https://t.co/pb16tGYaKe nearly year 🔗FOFA Link:https://t.co/DPO27916c1 FOFA Query:app="Monospace-directus" 🔖Refer:https://t.co/Dfomqu

    @fofabot

    25 Aug 2025

    3119 Impressions

    23 Retweets

    66 Likes

    17 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨Alert🚨 CVE-2025-55746: Critical Directus Flaw Exposes Servers to Unauthenticated File Upload and RCE 📊177.7K+ Services are found on the https://t.co/ysWb28Crld yearly. 🔗Hunter Link:https://t.co/9pi7JesJbk 👇Query HUNTER : https://t.co/q9rtuGgxk7="Directus" https://

    @HunterMapping

    25 Aug 2025

    4355 Impressions

    18 Retweets

    70 Likes

    29 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨Alert🚨 CVE-2025-55746: Critical Directus Flaw Exposes Servers to Unauthenticated File Upload and RCE 📊177.7K+ Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/9pi7JesblM 👇Query HUNTER : https://t.co/q9rtuGfZuz="Directus"

    @HunterMapping

    25 Aug 2025

    76 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🚨🚨Critical vuln in Directus: CVE-2025-55746 (CVSS 9.3) lets ANYONE without auth upload sneaky files or tweak existing ones with whatever malicious junk they want Search by vul.cve Filter👉vul.cve="CVE-2025-55746" ZoomEye Dork👉app="Directus" Over 10.6k exposed instance

    @zoomeye_team

    22 Aug 2025

    465 Impressions

    0 Retweets

    1 Like

    4 Bookmarks

    0 Replies

    0 Quotes

  5. Warning: Critical unrestricted upload of file with dangerous type in #Directus. CVE-2025-55746 CVSS: 9.3. It can lead to remote file modification with arbitrary contents without affecting their metadata https://t.co/XhD3DHB3B6 #Patch #Patch #Patch

    @CCBalert

    21 Aug 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-55746 Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism whi… https://t.co/onsuxjc2GP

    @CVEnew

    21 Aug 2025

    204 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration. This vulnerability is fixed in 11.14.1.CVE-2026-26185
  2. Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data. Version 11.13.0 fixes the issue.CVE-2025-64748
  3. Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 11.13.0 that allows users with `upload files` and `edit item` permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by combining file uploads with iframe srcdoc attributes, resulting in persistent XSS execution. Version 11.13.0 fixes the issue.CVE-2025-64747
  4. Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for two cases: when a user tries to access an existing collection which they are not authorized to access, and when user tries to access a non-existing collection. The two differing error messages leak the existence of collections to users which are not authorized to access these collections. Version 11.13.0 fixes the issue.CVE-2025-64749
  5. Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table remains intact. This stale reference creates a security gap: if another field is later created using the same name, it inherits the outdated permission entry. This behavior can unintentionally grant roles access to data they should not be able to read or modify. The issue is particularly risky in multi-tenant or production environments, where administrators may reuse field names, assuming old permissions have been fully cleared. Version 11.13.0 fixes the issue.CVE-2025-64746

References

Sources include official advisories and independent security research.