CVE-2025-27089: Directus allows updates to non-allowed fields due to overlapping policies
If there are two overlapping policies for the update
action that allow access to different fields, instead of correctly checking access permissions against the item they apply for the user is allowed to update the superset of fields allowed by any of the policies.
E.g. have one policy allowing update access to field_a
if the id == 1
and one policy allowing update access to field_b
if the id == 2
. The user with both these policies is allowed to update both field_a
and field_b
for the items with ids 1
and 2
.
References
Detect and mitigate CVE-2025-27089 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →