CVE-2025-55746

Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files' database-resident metadata) and / or upload new files, with arbitrary content and extensions, which won't show up in the Directus UI. This vulnerability is fixed in 11.9.3.

CVSS v3 9.3 CRITICAL

9.3^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/directus/directus/commit/d84dcc36f75fc5c858d43746b8f9c426c38d696b	Patch
https://github.com/directus/directus/security/advisories/GHSA-mv33-9f6j-pfmc	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*

History

13 Jan 2026, 18:29

Type	Values Removed	Values Added
First Time		Monospace Monospace directus
CPE		cpe:2.3:a:monospace:directus::::::node.js::*
References	~~() https://github.com/directus/directus/commit/d84dcc36f75fc5c858d43746b8f9c426c38d696b -~~	() https://github.com/directus/directus/commit/d84dcc36f75fc5c858d43746b8f9c426c38d696b - Patch
References	~~() https://github.com/directus/directus/security/advisories/GHSA-mv33-9f6j-pfmc -~~	() https://github.com/directus/directus/security/advisories/GHSA-mv33-9f6j-pfmc - Exploit, Vendor Advisory

22 Aug 2025, 18:09

Type	Values Removed	Values Added
Summary		(es) Directus es una API en tiempo real y un panel de control para aplicaciones que gestiona el contenido de bases de datos SQL. Desde la versión 10.8.0 hasta la versión 11.9.3, existe una vulnerabilidad en el mecanismo de actualización de archivos que permite a un usuario no autenticado modificar archivos existentes con contenido arbitrario (sin que se apliquen cambios a los metadatos residentes en la base de datos) o cargar nuevos archivos con contenido y extensiones arbitrarios, que no se mostrarán en la interfaz de Directus. Esta vulnerabilidad se corrigió en la versión 11.9.3.

20 Aug 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-20 18:15

Updated : 2026-01-13 18:29

NVD link : CVE-2025-55746

Mitre link : CVE-2025-55746

CVE.ORG link : CVE-2025-55746

JSON object : View

Products Affected

monospace

directus

CWE

CWE-73

External Control of File Name or Path

CWE-434

Unrestricted Upload of File with Dangerous Type

9.3 /10