Unauthorized Data Exposure in Directus API Dashboard
CVE-2025-30352

5.3MEDIUM

Key Information:

Vendor: Directus
Status: Directus
Vendor: CVE Published:; 26 March 2025

What is CVE-2025-30352?

The Directus API, a powerful tool for managing SQL database content, is vulnerable due to an improper access control mechanism in versions 9.0.0-alpha.4 up to 11.4.0. The implementation of the search query parameter permits users to filter items based on fields they lack the permission to view, potentially exposing sensitive information. Unauthorized users could enumerate unknown field contents as the searchable parameters do not enforce permission checks on the where clauses. This significant oversight allows malicious actors to discover un-permitted fields and data. The issue has been addressed in Directus version 11.5.0, which introduced necessary permission validations.

Affected Version(s)

directus >= 9.0.0-alpha.4, < 11.5.0

References

https://github.com/directus/directus/security/advisories/...

x_refsource_CONFIRM

https://github.com/directus/directus/commit/ac5a9964d9926...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2025
Vulnerability Reserved
Mar 21, 2025