CVE-2025-53885

EPSS 0.17%
Veröffentlicht 14.07.2025 23:18:57
Zuletzt bearbeitet 16.07.2025 14:18:18
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Directus doesn't redact sensitive user data when logging via event hooks

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the "Log to Console" operation and a template string. Malicious admins can log sensitive data from other users when they are created or updated. Version 11.9.0 contains a fix for the issue. As a workaround, avoid logging sensitive data to the console outside the context of development.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Monospace ≫ Directus SwPlatformnode.js Version >= 9.0.0 < 11.9.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.17%	0.066

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	4.2	0.6	3.6	CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

CWE-532 Insertion of Sensitive Information into Log File

The product writes sensitive information to a log file.

https://github.com/directus/directus/security/advisories/GHSA-x3vm-88hf-gpxp

Third Party Advisory

https://github.com/directus/directus/pull/25355

Patch

https://github.com/directus/directus/commit/859f664f56fb50401c407b095889cea38ff580e5

Patch

https://github.com/directus/directus/releases/tag/v11.9.0

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2025-53885

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-53885

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-53885

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-53885