AI description
CVE-2025-55746 is a vulnerability affecting Directus, a real-time API and App dashboard for managing SQL database content. Specifically, versions 10.8.0 to before 11.9.3 are affected. The vulnerability lies in the file update mechanism, which allows unauthenticated attackers to modify existing files or upload new files with arbitrary content and extensions. These new files won't appear in the Directus UI. The issue has been patched in version 11.9.3. Attackers can exploit this vulnerability to modify existing files without updating their metadata or upload new files with arbitrary content and extensions. In certain configurations, such as those where servers serve files directly from the upload directory, attackers could upload a webshell, potentially leading to remote code execution. Attackers could also tamper with hosted documents by inserting malicious links to harvest credentials.
- Description
- Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files' database-resident metadata) and / or upload new files, with arbitrary content and extensions, which won't show up in the Directus UI. This vulnerability is fixed in 11.9.3.
- Source
- security-advisories@github.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 9.3
- Impact score
- 4.7
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-73
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
13
⚠️⚠️ CVE-2025-55746: Critical Directus Flaw Exposes Servers to Unauthenticated File Upload and RCE 🎯73k+ Results are found on the https://t.co/pb16tGYaKe nearly year 🔗FOFA Link:https://t.co/DPO27916c1 FOFA Query:app="Monospace-directus" 🔖Refer:https://t.co/Dfomqu
@fofabot
25 Aug 2025
1593 Impressions
12 Retweets
35 Likes
7 Bookmarks
0 Replies
0 Quotes
🚨Alert🚨 CVE-2025-55746: Critical Directus Flaw Exposes Servers to Unauthenticated File Upload and RCE 📊177.7K+ Services are found on the https://t.co/ysWb28Crld yearly. 🔗Hunter Link:https://t.co/9pi7JesJbk 👇Query HUNTER : https://t.co/q9rtuGgxk7="Directus" https://
@HunterMapping
25 Aug 2025
3912 Impressions
15 Retweets
58 Likes
24 Bookmarks
0 Replies
0 Quotes
🚨Alert🚨 CVE-2025-55746: Critical Directus Flaw Exposes Servers to Unauthenticated File Upload and RCE 📊177.7K+ Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/9pi7JesblM 👇Query HUNTER : https://t.co/q9rtuGfZuz="Directus"
@HunterMapping
25 Aug 2025
76 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨🚨Critical vuln in Directus: CVE-2025-55746 (CVSS 9.3) lets ANYONE without auth upload sneaky files or tweak existing ones with whatever malicious junk they want Search by vul.cve Filter👉vul.cve="CVE-2025-55746" ZoomEye Dork👉app="Directus" Over 10.6k exposed instance
@zoomeye_team
22 Aug 2025
465 Impressions
0 Retweets
1 Like
4 Bookmarks
0 Replies
0 Quotes
Warning: Critical unrestricted upload of file with dangerous type in #Directus. CVE-2025-55746 CVSS: 9.3. It can lead to remote file modification with arbitrary contents without affecting their metadata https://t.co/XhD3DHB3B6 #Patch #Patch #Patch
@CCBalert
21 Aug 2025
7 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-55746 Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism whi… https://t.co/onsuxjc2GP
@CVEnew
21 Aug 2025
204 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes