CVE-2025-53887: Directus' exact version number is exposed by the OpenAPI Spec
The exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the /server/specs/oas endpoint without authentication.
References
- github.com/advisories/GHSA-rmjh-cf9q-pv7q
- github.com/directus/directus
- github.com/directus/directus/commit/e74f3e4e92edc33b5f83eefb001a3d2a85af17a3
- github.com/directus/directus/pull/25353
- github.com/directus/directus/releases/tag/v11.9.0
- github.com/directus/directus/security/advisories/GHSA-rmjh-cf9q-pv7q
- nvd.nist.gov/vuln/detail/CVE-2025-53887
Code Behaviors & Features
Detect and mitigate CVE-2025-53887 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →