4.2

CVE-2025-53885

EPSS 0.02%
Veröffentlicht 14.07.2025 23:18:57
Zuletzt bearbeitet 16.07.2025 14:18:18
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the "Log to Console" operation and a template string. Malicious admins can log sensitive data from other users when they are created or updated. Version 11.9.0 contains a fix for the issue. As a workaround, avoid logging sensitive data to the console outside the context of development.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Monospace ≫ Directus SwPlatformnode.js Version >= 9.0.0 < 11.9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.043

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	4.2	0.6	3.6	CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

CWE-532 Insertion of Sensitive Information into Log File

The product writes sensitive information to a log file.

https://github.com/directus/directus/security/advisories/GHSA-x3vm-88hf-gpxp

Third Party Advisory

https://github.com/directus/directus/pull/25355

Patch

https://github.com/directus/directus/commit/859f664f56fb50401c407b095889cea38ff580e5

Patch

https://github.com/directus/directus/releases/tag/v11.9.0

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2025-53885

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-53885

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-53885

EUVD