CVE-2025-24353: Directus allows privilege escalation using Share feature
(updated )
When sharing an item, user can specify an arbitrary role. It allows user to use a higher-privileged role to see fields that otherwise the user should not be able to see.
References
- github.com/advisories/GHSA-pmf4-v838-29hg
- github.com/directus/directus
- github.com/directus/directus/commit/e288a43a79613dada905da683f4919c6965ac804
- github.com/directus/directus/pull/23716
- github.com/directus/directus/releases/tag/v11.2.0
- github.com/directus/directus/security/advisories/GHSA-pmf4-v838-29hg
- nvd.nist.gov/vuln/detail/CVE-2025-24353
- www.youtube.com/watch?v=DbV4IxbWzN4
Detect and mitigate CVE-2025-24353 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →