CVE-2025-27089: Directus allows updates to non-allowed fields due to overlapping policies

February 19, 2025

If there are two overlapping policies for the update action that allow access to different fields, instead of correctly checking access permissions against the item they apply for the user is allowed to update the superset of fields allowed by any of the policies.

E.g. have one policy allowing update access to field_a if the id == 1 and one policy allowing update access to field_b if the id == 2. The user with both these policies is allowed to update both field_a and field_b for the items with ids 1 and 2.

References

github.com/advisories/GHSA-99vm-5v2h-h6r6
github.com/directus/directus
github.com/directus/directus/commit/a7ea67783b060d0d6fc964d71c2d4575d5eee4e2
github.com/directus/directus/security/advisories/GHSA-99vm-5v2h-h6r6
nvd.nist.gov/vuln/detail/CVE-2025-27089

Detect and mitigate CVE-2025-27089 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →