Vulnerability-Lookup

CVE-2025-55746 (GCVE-0-2025-55746)

Vulnerability from cvelistv5 – Published: 2025-08-20 17:58 – Updated: 2025-08-20 18:20

Title

Directus allows unauthenticated file upload and file modification due to lacking input sanitization

Summary

Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files' database-resident metadata) and / or upload new files, with arbitrary content and extensions, which won't show up in the Directus UI. This vulnerability is fixed in 11.9.3.

Severity ?

9.3 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L

CWE

CWE-73 - External Control of File Name or Path
CWE-434 - Unrestricted Upload of File with Dangerous Type

Assigner

GitHub_M

References

URL

Tags

	https://github.com/directus/directus/security/adv…	x_refsource_CONFIRM
	https://github.com/directus/directus/commit/d84dc…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	directus	directus	Affected: >= 10.8.0, < 11.9.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-55746",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-20T18:19:49.537443Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-20T18:20:03.663Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "directus",
          "vendor": "directus",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 10.8.0, \u003c 11.9.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files\u0027 database-resident metadata) and / or upload new files, with arbitrary content and extensions, which won\u0027t show up in the Directus UI. This vulnerability is fixed in 11.9.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-73",
              "description": "CWE-73: External Control of File Name or Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-20T17:58:06.762Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/directus/directus/security/advisories/GHSA-mv33-9f6j-pfmc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/directus/directus/security/advisories/GHSA-mv33-9f6j-pfmc"
        },
        {
          "name": "https://github.com/directus/directus/commit/d84dcc36f75fc5c858d43746b8f9c426c38d696b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/directus/directus/commit/d84dcc36f75fc5c858d43746b8f9c426c38d696b"
        }
      ],
      "source": {
        "advisory": "GHSA-mv33-9f6j-pfmc",
        "discovery": "UNKNOWN"
      },
      "title": "Directus allows unauthenticated file upload and file modification due to lacking input sanitization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-55746",
    "datePublished": "2025-08-20T17:58:06.762Z",
    "dateReserved": "2025-08-14T22:31:17.685Z",
    "dateUpdated": "2025-08-20T18:20:03.663Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-55746\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-20T18:19:49.537443Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-20T18:19:56.664Z\"}}], \"cna\": {\"title\": \"Directus allows unauthenticated file upload and file modification due to lacking input sanitization\", \"source\": {\"advisory\": \"GHSA-mv33-9f6j-pfmc\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"directus\", \"product\": \"directus\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 10.8.0, \u003c 11.9.3\"}]}], \"references\": [{\"url\": \"https://github.com/directus/directus/security/advisories/GHSA-mv33-9f6j-pfmc\", \"name\": \"https://github.com/directus/directus/security/advisories/GHSA-mv33-9f6j-pfmc\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/directus/directus/commit/d84dcc36f75fc5c858d43746b8f9c426c38d696b\", \"name\": \"https://github.com/directus/directus/commit/d84dcc36f75fc5c858d43746b8f9c426c38d696b\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files\u0027 database-resident metadata) and / or upload new files, with arbitrary content and extensions, which won\u0027t show up in the Directus UI. This vulnerability is fixed in 11.9.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-73\", \"description\": \"CWE-73: External Control of File Name or Path\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-434\", \"description\": \"CWE-434: Unrestricted Upload of File with Dangerous Type\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-08-20T17:58:06.762Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-55746\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-20T18:20:03.663Z\", \"dateReserved\": \"2025-08-14T22:31:17.685Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-08-20T17:58:06.762Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2025-55746

Vulnerability from fkie_nvd - Published: 2025-08-20 18:15 - Updated: 2026-01-13 18:29

Severity ?

9.3 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/directus/directus/commit/d84dcc36f75fc5c858d43746b8f9c426c38d696b	Patch
	security-advisories@github.com	https://github.com/directus/directus/security/advisories/GHSA-mv33-9f6j-pfmc	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	monospace	directus	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "D935DA05-410C-4095-A9E9-F41F6701641B",
              "versionEndExcluding": "11.9.3",
              "versionStartIncluding": "10.8.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files\u0027 database-resident metadata) and / or upload new files, with arbitrary content and extensions, which won\u0027t show up in the Directus UI. This vulnerability is fixed in 11.9.3."
    },
    {
      "lang": "es",
      "value": "Directus es una API en tiempo real y un panel de control para aplicaciones que gestiona el contenido de bases de datos SQL. Desde la versi\u00f3n 10.8.0 hasta la versi\u00f3n 11.9.3, existe una vulnerabilidad en el mecanismo de actualizaci\u00f3n de archivos que permite a un usuario no autenticado modificar archivos existentes con contenido arbitrario (sin que se apliquen cambios a los metadatos residentes en la base de datos) o cargar nuevos archivos con contenido y extensiones arbitrarios, que no se mostrar\u00e1n en la interfaz de Directus. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 11.9.3."
    }
  ],
  "id": "CVE-2025-55746",
  "lastModified": "2026-01-13T18:29:53.387",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 9.3,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-08-20T18:15:35.183",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/directus/directus/commit/d84dcc36f75fc5c858d43746b8f9c426c38d696b"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/directus/directus/security/advisories/GHSA-mv33-9f6j-pfmc"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-73"
        },
        {
          "lang": "en",
          "value": "CWE-434"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-MV33-9F6J-PFMC

Vulnerability from github – Published: 2025-08-20 19:08 – Updated: 2025-08-20 19:08

Summary

Directus allows unauthenticated file upload and file modification due to lacking input sanitization

Details

Summary

A vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files' database-resident metadata) and / or upload new files, with arbitrary content and extensions, which won't show up in the Directus UI.

Details

Directus exposes the CRUD operations for uploading or handling files under the /files route.

The endpoint handler is responsible for updating an existing file identified by the provided primary key specified through the pk parameter. Primary keys are UUID values such as /files/927b3abf-fb4b-4c66-bdaa-eb7dc48a51cb. Here the filename_disk value is never sanitized, it's possible to pass a path containing traversal sequences (../) through it, but a fully arbitrary file write is not possible in case the "local" storage handler is used. (Other storage implementations haven't been checked during the research process). The packages/storage-driver-local/src/index.ts file defines two relevant functions: write and fullpath.

The write method uses the fullPath method to create the absolute path for the to-be-created file. The join method is used to create the final path string. As the fullPath method uses join to create a relative path starting with the separator to be added under the download dir, this call normalizes the path and further upwards traversal is not possible during the write operation. With that being said, it is still possible, to make the system "ignore" the temp_ prefix given to the file, resulting in an arbitrarily named file being placed in the upload folder.

As a summary for the vulnerability:

It is possible, to change the contents of an existing file, as an existing UUID can be specified as the file name - The metadata won't change, so the mime type cannot be modified - This also makes the changes happen "silently", without directus knowing about the changes
A new, previously non-existent file can be created with arbitrary contents - The file won't show up in on the Directus UI, it can only be seen through other means (such as shell access)
An extension MUST be defined for the file to be modified - This prevents us from uploading executables or malware with no extensions, but these wouldn't be executable either way

Recommendations for fixing the vulnerability can be found in later chapters.

Requirements

As providing a primary key is required for successful exploitation, at least one asset with a known UUID must be available for an attacker. This can usually be achieved by browsing an application that uses the given Directus instance to provide images.

Naturally, the instance needs to be accessible over the network used by the attacker as well.

Once network access and knowledge of at least one file UUID is available for the attacker, exploitation can be done by sending a single request.

Potential impacts

The impact of successful exploitation is highly dependent on how Directus is set up to be used by a different application. Many different configurations can be created, but the following are likely the most noteworthy:

Setting up a phishing site

SVGs can be used to set up very sophisticated looking pages, as it allows the embedding of HTML, CSS and scripts. The issue is once again with the default-src: none CSP settings. This setting prevents the use of CSS in the SVG file, so the created page will look strange.

While the page obviously looks strange, it's important to notice that since the domain checks out, the browser could fill out the login forms, making for a much more convincing page as shown below:

An error message can be used to make it look like an error in the system!

Server serves files directly from the upload directory:

In this setup, a server such ash nginx serves files in a static manner. The served files are loaded from a "public" folder made accessible through Directus as it's recommended in the files API docs. Quoting: "make a public folder and allow access to this", except the upload folder is directly served by the server:

Since the files loaded by the server are sourced directly from the file storage, the arbitrary file write might allow an attacker to upload a webshell into the folder, giving it an arbitrary file extension. As the extension checks out as a valid PHP file for instance, and the contents are correct code, an attacker can achieve unauthenticated code execution on the server.

Poisoning hosted files

The previous examples focused on active exploitation, but it's important to mention that the vulnerability allows for arbitrary changes in files. This can be used for many different attack primitives. Let's consider the following scenario: Directus is used not only to serve contents on a company's web page, but internally as well. Onboarding documents for new entries are hosted on the instance. Manuals with links to internal services are provided through PDF files. If the file can be accessed and modified by an attacker, it would be trivial to set up a spoofed instance which receives credentials for internal services but redirects to the original, internal service right after.

Credits

The bug was discovered by Zombor Máté, a security researcher at PCA Cyber Security (https://pcacybersecurity.com/)

Severity ?

9.3 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "directus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.8.0"
            },
            {
              "fixed": "11.9.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@directus/api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.1.0"
            },
            {
              "fixed": "28.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-55746"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-20T19:08:20Z",
    "nvd_published_at": "2025-08-20T18:15:35Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nA vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files\u0027 database-resident metadata) and / or upload new files, with arbitrary content and extensions, which won\u0027t show up in the Directus UI.\n\n## Details\n\nDirectus exposes the CRUD operations for uploading or handling files under the `/files` route.\n\nThe endpoint handler is responsible for updating an existing file identified by the provided primary key specified through the `pk` parameter. Primary keys are UUID values such as `/files/927b3abf-fb4b-4c66-bdaa-eb7dc48a51cb`. Here the `filename_disk` value is never sanitized, it\u0027s possible to pass a path containing traversal sequences (`../`) through it, but a fully arbitrary file write is not possible in case the \"local\" storage handler is used. (Other storage implementations haven\u0027t been checked during the research process). The `packages/storage-driver-local/src/index.ts` file defines two relevant functions: `write` and `fullpath`.\n\nThe `write` method uses the `fullPath` method to create the absolute path for the to-be-created file. The `join` method is used to create the final path string. As the `fullPath` method uses `join` to create a relative path starting with the separator to be added under the download dir, this call normalizes the path and further upwards traversal is not possible during the write operation. With that being said, it is still possible, to make the system \"ignore\" the `temp_` prefix given to the file, resulting in an arbitrarily named file being placed in the upload folder.\n\nAs a summary for the vulnerability:\n\n- It is possible, to change the contents of an existing file, as an existing UUID can be specified as the file name\n        - The metadata won\u0027t change, so the mime type cannot be modified\n        - This also makes the changes happen \"silently\", without directus knowing about the changes\n- A new, previously non-existent file can be created with arbitrary contents\n        - The file won\u0027t show up in on the Directus UI, it can only be seen through other means (such as shell access)\n- An extension MUST be defined for the file to be modified\n        - This prevents us from uploading executables or malware with no extensions, but these wouldn\u0027t be executable either way\n\nRecommendations for fixing the vulnerability can be found in later chapters.\n\n## Requirements \n\nAs providing a primary key is required for successful exploitation, at least one asset with a known UUID must be available for an attacker. This can usually be achieved by browsing an application that uses the given Directus instance to provide images. \n\nNaturally, the instance needs to be accessible over the network used by the attacker as well.\n\nOnce network access and knowledge of at least one file UUID is available for the attacker, exploitation can be done by sending a single request.\n\n## Potential impacts\n\nThe impact of successful exploitation is highly dependent on how Directus is set up to be used by a different application. Many different configurations can be created, but the following are likely the most noteworthy:\n\n1. Setting up a phishing site\n\nSVGs can be used to set up very sophisticated looking pages, as it allows the embedding of HTML, CSS and scripts. The issue is once again with the `default-src: none` CSP settings. This setting prevents the use of CSS in the SVG file, so the created page will look strange.\n\nWhile the page obviously looks strange, it\u0027s important to notice that since the domain checks out, the browser could fill out the login forms, making for a much more convincing page as shown below:\n\nAn error message can be used to make it look like an error in the system!\n\n2. Server serves files directly from the upload directory:\n\nIn this setup, a server such ash nginx serves files in a static manner. The served files are loaded from a \"public\" folder made accessible through Directus as it\u0027s recommended in the files API docs. Quoting: \"make a public folder and allow access to this\", except the upload folder is directly served by the server:\n\nSince the files loaded by the server are sourced directly from the file storage, the arbitrary file write might allow an attacker to upload a webshell into the folder, giving it an arbitrary file extension. As the extension checks out as a valid PHP file for instance, and the contents are correct code, an attacker can achieve unauthenticated code execution on the server.\n\n3. Poisoning hosted files\n\nThe previous examples focused on active exploitation, but it\u0027s important to mention that the vulnerability allows for arbitrary changes in files. This can be used for many different attack primitives. Let\u0027s consider the following scenario: Directus is used not only to serve contents on a company\u0027s web page, but internally as well. Onboarding documents for new entries are hosted on the instance. Manuals with links to internal services are provided through PDF files. If the file can be accessed and modified by an attacker, it would be trivial to set up a spoofed instance which receives credentials for internal services but redirects to the original, internal service right after. \n\n## Credits\n\nThe bug was discovered by Zombor M\u00e1t\u00e9, a security researcher at PCA Cyber Security (https://pcacybersecurity.com/)",
  "id": "GHSA-mv33-9f6j-pfmc",
  "modified": "2025-08-20T19:08:20Z",
  "published": "2025-08-20T19:08:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/security/advisories/GHSA-mv33-9f6j-pfmc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55746"
    },
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/commit/d84dcc36f75fc5c858d43746b8f9c426c38d696b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/directus/directus"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Directus allows unauthenticated file upload and file modification due to lacking input sanitization"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-55746 (GCVE-0-2025-55746)

FKIE_CVE-2025-55746

GHSA-MV33-9F6J-PFMC

Summary

Details

Requirements

Potential impacts

Credits

Tags

Sightings

Nomenclature