ghsa-x3vm-88hf-gpxp
Vulnerability from github
Published
2025-07-15 15:18
Modified
2025-07-15 15:18
Severity ?
4.2 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
Summary
Directus is vulnerable to sensitive data exposure as user data is not being redacted when logged
Details

Summary

When using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the "Log to Console" operation and a template string.

Impact

Malicious admins can log sensitive data from other users when they are created or updated.

Workarounds

Avoid logging sensitive data to the console outside the context of development.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "directus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "11.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53885"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-15T15:18:06Z",
    "nvd_published_at": "2025-07-15T00:15:23Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nWhen using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the \"Log to Console\" operation and a template string. \n\n### Impact\n\nMalicious admins can log sensitive data from other users when they are created or updated.\n\n### Workarounds\nAvoid logging sensitive data to the console outside the context of development.",
  "id": "GHSA-x3vm-88hf-gpxp",
  "modified": "2025-07-15T15:18:06Z",
  "published": "2025-07-15T15:18:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/security/advisories/GHSA-x3vm-88hf-gpxp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53885"
    },
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/pull/25355"
    },
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/commit/859f664f56fb50401c407b095889cea38ff580e5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/directus/directus"
    },
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/releases/tag/v11.9.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Directus is vulnerable to sensitive data exposure as user data is not being redacted when logged"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.