Description

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what the Flow is set up to do this can lead to the Flow executing potential tasks on the attacker's behalf without authenticating. Bad actors could execute the manual trigger Flows without authentication, or access rights to the said collection(s) or item(s). Users with manual trigger Flows configured are impacted as these endpoints do not currently validate if the user has read access to `directus_flows` or to the relevant collection/items. The manual trigger Flows should have tighter security requirements as compared to webhook Flows where users are expected to perform do their own checks. Version 11.9.0 fixes the issue. As a workaround, implement permission checks for read access to Flows and read access to relevant collection/items.

INFO

Published Date :

2025-07-14T23:50:23.283Z

Last Modified :

2025-07-15T19:48:56.003Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-53889 vulnerability.

Vendors Products
Directus
  • Directus
Monospace
  • Directus
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-53889.

URL Resource
https://github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb083fb cve-icon cve-icon
https://github.com/directus/directus/releases/tag/v11.9.0 cve-icon cve-icon
https://github.com/directus/directus/security/advisories/GHSA-7cvf-pxgp-42fc cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact