Platform
nodejs
Component
directus
Fixed in
11.2.1
CVE-2025-24353 describes a Privilege Escalation vulnerability in Directus, a real-time API and App dashboard for managing SQL database content. This flaw allows users to potentially access fields they shouldn't, by leveraging the item sharing feature and manipulating role assignments. The vulnerability affects versions of Directus up to and including 11.2.0, and a patch is available in version 11.2.0.
An attacker exploiting this vulnerability can bypass role-based access controls within Directus. By crafting a malicious item sharing request with an elevated role, an attacker can gain unauthorized access to sensitive data fields that are normally restricted to higher-privileged users. This could lead to data breaches, unauthorized modifications, or even complete compromise of the Directus instance, depending on the data stored and the roles involved. The impact is particularly severe in environments where sensitive data is stored and access controls are critical for compliance or security.
This vulnerability was publicly disclosed on January 23, 2025. There is currently no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept exploits. The CVSS score is 5.0 (MEDIUM), indicating a moderate risk. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.35% (57% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-24353 is to upgrade Directus to version 11.2.0 or later, which includes the necessary patch. If immediate upgrading is not possible, consider restricting the use of the item sharing feature until the upgrade can be performed. Review existing role configurations and ensure that the hierarchy is properly defined to prevent unintended privilege escalation. Implement strict input validation on all user-provided data, especially when dealing with role assignments. After upgrading, confirm the fix by attempting to share an item with a lower-privileged user and verifying that access to restricted fields is denied.
Actualice Directus a la versión 11.2.0 o superior. Esta versión contiene una corrección para la vulnerabilidad de escalada de privilegios. La actualización evitará que usuarios no autorizados accedan a campos que no deberían ver a través de la función de compartir.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-24353 is a vulnerability in Directus versions ≤ 11.2.0 that allows users to potentially access restricted data fields by manipulating role assignments during item sharing.
You are affected if you are using Directus version 11.2.0 or earlier and utilize the item sharing feature with specific role hierarchies.
Upgrade Directus to version 11.2.0 or later to patch the vulnerability. If immediate upgrading is not possible, restrict the use of the item sharing feature.
There is currently no indication of active exploitation in the wild or publicly available proof-of-concept exploits.
Refer to the official Directus security advisory for detailed information and updates: [https://directus.io/security/](https://directus.io/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.