Exposed Logging Vulnerability in Directus Real-Time API and App Dashboard
CVE-2025-53885

4.2MEDIUM

Key Information:

Vendor

Directus

Status
Directus
Vendor
CVE Published:
15 July 2025

What is CVE-2025-53885?

Directus, a real-time API and app dashboard designed for managing SQL database content, has a logging vulnerability that can expose sensitive user data. The flaw exists in versions 9.0.0 to 11.8.9 when utilizing Directus Flows for CRUD events. Using the 'Log to Console' operation with template strings, malicious administrators may inadvertently log sensitive information from other users during their creation or update processes. The vulnerability has been addressed in version 11.9.0. As a preventive measure, developers are advised to refrain from logging sensitive data to the console in production environments.

Affected Version(s)

directus >= 9.0.0, < 11.9.0

References

https://github.com/directus/directus/security/advisories/...
x_refsource_CONFIRM
https://github.com/directus/directus/pull/25355
x_refsource_MISC
https://github.com/directus/directus/commit/859f664f56fb5...
x_refsource_MISC

CVSS V3.1

Score:
4.2
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

.