Vulnerability in Directus API and App Dashboard Allows Unauthenticated File Modifications

CVE-2025-55746

What is CVE-2025-55746?

CVE-2025-55746 is a vulnerability found in the Directus API and App Dashboard that affects versions ranging from 10.8.0 to before 11.9.3. Directus serves as a real-time API and user interface for managing SQL database content, enabling organizations to interact with their data seamlessly. This vulnerability specifically concerns the file update mechanism within Directus, allowing unauthenticated users to modify existing files or upload new files with arbitrary content and extensions, without any changes to the file metadata stored in the database. This lack of authentication presents a significant security risk, as it enables malicious actors to manipulate data within an organization’s systems without proper authorization, potentially leading to severe operational and reputational consequences.

Potential impact of CVE-2025-55746

1. Data Integrity Compromise: The ability for unauthenticated users to modify or upload files could result in unauthorized changes to critical data, impacting the integrity of the information managed by the Directus dashboard. Such alterations could mislead decision-making processes and lead to significant errors in business operations.

2. Increased Security Vulnerabilities: Allowing arbitrary file uploads can serve as a gateway for additional attacks, such as injecting malicious files that might exploit other vulnerabilities in the system. This could further expose the organization to a wider range of cyber threats and enhance the risk of data breaches.

3. Reputational Damage and Compliance Risks: Exploiting this vulnerability could lead to significant reputational harm if sensitive data is compromised or misused. Organizations may also face challenges regarding compliance with data protection regulations, which could result in legal repercussions and financial losses.

References