Privilege Escalation Vulnerability in Directus API by Directus
CVE-2025-24353

5MEDIUM

Key Information:

Vendor

Directus

Status
Directus
Vendor
CVE Published:
23 January 2025

What is CVE-2025-24353?

The Directus API, prior to version 11.2.0, contains a vulnerability allowing users to specify an arbitrary role when sharing content. This misconfiguration permits unauthorized access to sensitive fields that should be restricted from certain user roles. Instances leveraging the sharing feature with hierarchies of roles are particularly at risk, as this flaw can expose critical database content inadvertently. The issue has been addressed in version 11.2.0, which contains a patch to rectify this vulnerability.

Affected Version(s)

directus < 11.2.0

References

https://github.com/directus/directus/security/advisories/...
x_refsource_CONFIRM
https://github.com/directus/directus/pull/23716
x_refsource_MISC
https://github.com/directus/directus/commit/e288a43a79613...
x_refsource_MISC

CVSS V3.1

Score:
5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-24353 : Privilege Escalation Vulnerability in Directus API by Directus