CVE-2025-55746

CVSS v3 9.3 CRITICAL

9.3^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact LOW

Scope CHANGED

D

irectus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files' database-resident metadata) and / or upload new files, with arbitrary content and extensions, which won't show up in the Directus UI. This vulnerability is fixed in 11.9.3.

References

Link	Resource
https://github.com/directus/directus/commit/d84dcc36f75fc5c858d43746b8f9c426c38d696b	Patch
https://github.com/directus/directus/security/advisories/GHSA-mv33-9f6j-pfmc	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*

History

13 Jan 2026, 18:29

Type	Values Removed	Values Added
First Time		Monospace Monospace directus
CPE		cpe:2.3:a:monospace:directus::::::node.js::*
References	~~() https://github.com/directus/directus/commit/d84dcc36f75fc5c858d43746b8f9c426c38d696b -~~	() https://github.com/directus/directus/commit/d84dcc36f75fc5c858d43746b8f9c426c38d696b - Patch
References	~~() https://github.com/directus/directus/security/advisories/GHSA-mv33-9f6j-pfmc -~~	() https://github.com/directus/directus/security/advisories/GHSA-mv33-9f6j-pfmc - Exploit, Vendor Advisory

22 Aug 2025, 18:09

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-20 18:15

Updated : 2026-01-13 18:29

NVD link : CVE-2025-55746

Mitre link : CVE-2025-55746

CVE.ORG link : CVE-2025-55746

JSON object : View

Products Affected

directus

CWE

CWE-73

External Control of File Name or Path

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2025-55746", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.7, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-08-20T18:15:35.183", "references": [{"url": "https://github.com/directus/directus/commit/d84dcc36f75fc5c858d43746b8f9c426c38d696b", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/directus/directus/security/advisories/GHSA-mv33-9f6j-pfmc", "tags": ["Exploit", "Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-73"}, {"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files' database-resident metadata) and / or upload new files, with arbitrary content and extensions, which won't show up in the Directus UI. This vulnerability is fixed in 11.9.3."}, {"lang": "es", "value": "Directus es una API en tiempo real y un panel de control para aplicaciones que gestiona el contenido de bases de datos SQL. Desde la versi\u00f3n 10.8.0 hasta la versi\u00f3n 11.9.3, existe una vulnerabilidad en el mecanismo de actualizaci\u00f3n de archivos que permite a un usuario no autenticado modificar archivos existentes con contenido arbitrario (sin que se apliquen cambios a los metadatos residentes en la base de datos) o cargar nuevos archivos con contenido y extensiones arbitrarios, que no se mostrar\u00e1n en la interfaz de Directus. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 11.9.3."}], "lastModified": "2026-01-13T18:29:53.387", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "D935DA05-410C-4095-A9E9-F41F6701641B", "versionEndExcluding": "11.9.3", "versionStartIncluding": "10.8.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}