Vulnerability in Directus API and App Dashboard Allows Unauthenticated File Modifications
CVE-2025-55746

9.3CRITICAL

Key Information:

Vendor: Directus
Status: Directus
Vendor: CVE Published:; 20 August 2025

What is CVE-2025-55746?

A vulnerability in the Directus API and App dashboard allows unauthenticated users to exploit the file update mechanism. This flaw can lead to the unintended modification of existing files or the upload of new files containing arbitrary content and extensions. Notably, the uploaded files may not be reflected in the Directus user interface, thereby obscuring their existence and potential use in malicious activities. This significant security concern has been addressed in version 11.9.3.

Affected Version(s)

directus >= 10.8.0, < 11.9.3

References

https://github.com/directus/directus/security/advisories/...

x_refsource_CONFIRM

https://github.com/directus/directus/commit/d84dcc36f75fc...

x_refsource_MISC

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 20, 2025
Vulnerability Reserved
Aug 14, 2025