Exposed Logging Vulnerability in Directus Real-Time API and App Dashboard
CVE-2025-53885

Currently unrated

Key Information:

Vendor: Directus
Status: Directus
Vendor: CVE Published:; 15 July 2025

What is CVE-2025-53885?

Directus, a real-time API and app dashboard designed for managing SQL database content, has a logging vulnerability that can expose sensitive user data. The flaw exists in versions 9.0.0 to 11.8.9 when utilizing Directus Flows for CRUD events. Using the 'Log to Console' operation with template strings, malicious administrators may inadvertently log sensitive information from other users during their creation or update processes. The vulnerability has been addressed in version 11.9.0. As a preventive measure, developers are advised to refrain from logging sensitive data to the console in production environments.

References

https://github.com/directus/directus/commit/859f664f56fb5...

https://github.com/directus/directus/pull/25355

https://github.com/directus/directus/releases/tag/v11.9.0

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 15, 2025