Plattform
nodejs
Komponente
directus
Behoben in
11.2.1
CVE-2025-24353 describes a Privilege Escalation vulnerability in Directus, a real-time API and App dashboard for managing SQL database content. This flaw allows users to potentially access fields they shouldn't, by leveraging the item sharing feature and manipulating role assignments. The vulnerability affects versions of Directus up to and including 11.2.0, and a patch is available in version 11.2.0.
An attacker exploiting this vulnerability could leverage the item sharing feature to elevate their privileges within the Directus application. By specifying a higher-privileged role during the sharing process, a typical user could gain unauthorized access to sensitive data fields that are normally restricted to those roles. This could lead to data breaches, unauthorized modifications, or other malicious activities. The impact is particularly significant in environments where role-based access control is critical for data security and compliance. The blast radius is limited to the Directus instance and the data it manages, but the potential for unauthorized access makes this a serious concern.
CVE-2025-24353 was publicly disclosed on January 23, 2025. There is no indication of active exploitation or KEV listing at the time of writing. No public proof-of-concept (PoC) code has been released. The CVSS score is 5.0 (Medium), indicating a moderate risk.
Organizations using Directus for content management, particularly those with complex role-based access control configurations and who utilize the item sharing feature, are at risk. Shared hosting environments where multiple users share a Directus instance are also potentially vulnerable.
• nodejs: Monitor Directus logs for suspicious activity related to item sharing and role assignments. Look for requests containing unexpected or elevated roles.
grep -i 'role assignment|sharing request' /var/log/directus/directus.log• generic web: Check Directus API endpoints for unauthorized access attempts. Use curl to test sharing functionality with different user roles.
curl -X POST -H "Content-Type: application/json" -d '{"role":"admin"}' <directus_api_url>/items/<item_id>/sharedisclosure
Exploit-Status
EPSS
0.35% (57% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-24353 is to upgrade Directus to version 11.2.0 or later, which includes the necessary patch. If immediate upgrading is not possible, consider temporarily restricting the use of the item sharing feature or carefully reviewing and tightening role-based access controls within Directus. Implement stricter validation of user input when configuring sharing permissions. Regularly audit Directus configurations to ensure role hierarchies are properly defined and enforced. After upgrading, confirm the fix by attempting to share an item with a user and verifying that they only have access to the intended fields.
Actualice Directus a la versión 11.2.0 o superior. Esta versión contiene una corrección para la vulnerabilidad de escalada de privilegios. La actualización evitará que usuarios no autorizados accedan a campos que no deberían ver a través de la función de compartir.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-24353 is a vulnerability in Directus versions ≤ 11.2.0 that allows users to potentially access restricted data fields by manipulating role assignments during item sharing.
You are affected if you are using Directus version 11.2.0 or earlier and utilize the item sharing feature with specific role hierarchies.
Upgrade Directus to version 11.2.0 or later to patch the vulnerability. If immediate upgrading is not possible, restrict the use of the item sharing feature.
There is currently no indication of active exploitation in the wild or publicly available proof-of-concept exploits.
Refer to the official Directus security advisory for detailed information and updates: [https://directus.io/security/](https://directus.io/security/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.