OpenAPI Specification Exposure in Directus API Management Tool
CVE-2025-53887

5.3MEDIUM

Key Information:

Vendor

Directus

Status
Directus
Vendor
CVE Published:
15 July 2025

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2025-53887?

A vulnerability exists in the Directus API management tool where the exact version number is revealed through the OpenAPI Specification at the '/server/specs/oas' endpoint without requiring authentication. This exposure allows attackers to identify potential weaknesses in the Directus core and its dependencies tied to the specific version of the application in use. As a result, it enables malicious actors to exploit known vulnerabilities, posing a risk to databases and potentially compromising their integrity. The issue has been addressed in version 11.9.0, which mitigates this exposure.

Affected Version(s)

directus >= 9.0.0, < 11.9.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

directus-security
Created by Perufitlife

References

https://github.com/directus/directus/security/advisories/...
x_refsource_CONFIRM
https://github.com/directus/directus/pull/25353
x_refsource_MISC
https://github.com/directus/directus/commit/e74f3e4e92edc...
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

.