CVE-2025-53889: Directus' insufficient permission checks can enable unauthenticated users to manually trigger Flows
Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what the Flow is set up to do this can lead to the Flow executing potential tasks on the attacker’s behalf without authenticating.
References
- github.com/advisories/GHSA-7cvf-pxgp-42fc
- github.com/directus/directus
- github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb083fb
- github.com/directus/directus/releases/tag/v11.9.0
- github.com/directus/directus/security/advisories/GHSA-7cvf-pxgp-42fc
- nvd.nist.gov/vuln/detail/CVE-2025-53889
Code Behaviors & Features
Detect and mitigate CVE-2025-53889 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →