5

CVE-2025-24353

Exploit

EPSS 0.27%
Veröffentlicht 23.01.2025 18:15:33
Zuletzt bearbeitet 18.11.2025 21:43:43
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.2.0, when sharing an item, a typical user can specify an arbitrary role. It allows the user to use a higher-privileged role to see fields that otherwise the user should not be able to see. Instances that are impacted are those that use the share feature and have specific roles hierarchy and fields that are not visible for certain roles. Version 11.2.0 contains a patch the issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Monospace ≫ Directus SwPlatformnode.js Version < 11.2.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.27%	0.501

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
security-advisories@github.com	5	3.1	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

https://github.com/directus/directus/commit/e288a43a79613dada905da683f4919c6965ac804

Patch

https://github.com/directus/directus/pull/23716

Issue Tracking

https://github.com/directus/directus/releases/tag/v11.2.0

Release Notes

https://github.com/directus/directus/security/advisories/GHSA-pmf4-v838-29hg

Vendor Advisory

Exploit

https://www.youtube.com/watch?v=DbV4IxbWzN4

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-24353

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-24353

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-24353

EUVD