CVE-2025-53885: Directus is vulnerable to sensitive data exposure as user data is not being redacted when logged
When using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the “Log to Console” operation and a template string.
References
- github.com/advisories/GHSA-x3vm-88hf-gpxp
- github.com/directus/directus
- github.com/directus/directus/commit/859f664f56fb50401c407b095889cea38ff580e5
- github.com/directus/directus/pull/25355
- github.com/directus/directus/releases/tag/v11.9.0
- github.com/directus/directus/security/advisories/GHSA-x3vm-88hf-gpxp
- nvd.nist.gov/vuln/detail/CVE-2025-53885
Code Behaviors & Features
Detect and mitigate CVE-2025-53885 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →