CVE-2025-64747: Directus is Vulnerable to Stored Cross-site Scripting

November 14, 2025

A stored cross-site scripting (XSS) vulnerability exists that allows users with upload files and edit item permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by combining file uploads with iframe srcdoc attributes, resulting in persistent XSS execution.

References

github.com/advisories/GHSA-vv2v-pw69-8crf
github.com/directus/directus
github.com/directus/directus/commit/d23525317f0780f04aa1fe7a99171a358e43cb2e
github.com/directus/directus/security/advisories/GHSA-vv2v-pw69-8crf
nvd.nist.gov/vuln/detail/CVE-2025-64747

Code Behaviors & Features

Detect and mitigate CVE-2025-64747 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →