Description
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming request details are logged including security sensitive data like access and refresh tokens in cookies. Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them triggering the Flow. Version 11.9.0 fixes the issue.
Product(s):
- Monospace Directus for Node.js
- Monospace Directus 10.10.0 for Node.js
- Monospace Directus 10.10.1 for Node.js
- Monospace Directus 10.10.2 for Node.js
- Monospace Directus 10.10.3 for Node.js
- Monospace Directus 10.10.4 for Node.js
- Monospace Directus 10.10.5 for Node.js
- Monospace Directus 10.10.6 for Node.js
- Monospace Directus 10.10.7 for Node.js
- Monospace Directus 10.11.0 for Node.js
- Monospace Directus 10.11.1 for Node.js
- Monospace Directus 10.11.2 for Node.js
- Monospace Directus 10.12.0 for Node.js
- Monospace Directus 10.12.1 for Node.js
- Monospace Directus 10.13.0 for Node.js
- Monospace Directus 10.13.1 for Node.js
- Monospace Directus 10.13.2 for Node.js
- Monospace Directus 10.13.3 for Node.js
- Monospace Directus 10.13.4 for Node.js
- Monospace Directus 10.3.0 for Node.js
- Monospace Directus 10.4.0 for Node.js
- Monospace Directus 10.4.2 for Node.js
- Monospace Directus 10.4.3 for Node.js
- Monospace Directus 10.5.0 for Node.js
- Monospace Directus 10.5.1 for Node.js
- Monospace Directus 10.5.2 for Node.js
- Monospace Directus 10.5.3 for Node.js
- Monospace Directus 10.6.1 for Node.js
- Monospace Directus 10.6.2 for Node.js
- Monospace Directus 10.6.3 for Node.js
- Monospace Directus 10.6.4 for Node.js
- Monospace Directus 10.7.0 - for Node.js
- Monospace Directus 10.7.0 Beta 0 for Node.js
- Monospace Directus 10.7.1 for Node.js
- Monospace Directus 10.7.2 for Node.js
- Monospace Directus 10.8.0 for Node.js
- Monospace Directus 10.8.1 for Node.js
- Monospace Directus 10.8.2 for Node.js
- Monospace Directus 10.8.3 for Node.js
- Monospace Directus 10.9.0 for Node.js
- Monospace Directus 10.9.1 for Node.js
- Monospace Directus 10.9.2 for Node.js
- Monospace Directus 10.9.3 for Node.js
- Monospace Directus 11.0.0 for Node.js
- Monospace Directus 11.0.0 Release Candidate 1 for Node.js
- Monospace Directus 11.0.0 Release Candidate 2 for Node.js
- Monospace Directus 11.0.0 Release Candidate 3 for Node.js
- Monospace Directus 11.0.1 for Node.js
- Monospace Directus 11.0.2 for Node.js
- Monospace Directus 11.1.0 for Node.js
- Monospace Directus 11.1.1 for Node.js
- Monospace Directus 11.1.2 for Node.js
- Monospace Directus 11.2.0 for Node.js
- Monospace Directus 11.2.1 for Node.js
- Monospace Directus 11.2.2 for Node.js
- Monospace Directus 11.3.0 for Node.js
- Monospace Directus 11.3.1 for Node.js
- Monospace Directus 11.3.2 for Node.js
- Monospace Directus 11.3.3 for Node.js
- Monospace Directus 11.3.4 for Node.js
- Monospace Directus 11.3.5 for Node.js
- Monospace Directus 11.4.0 for Node.js
- Monospace Directus 11.4.1 for Node.js
- Monospace Directus 11.5.0 for Node.js
- Monospace Directus 11.5.1 for Node.js
- Monospace Directus 11.6.0 for Node.js
- Monospace Directus 11.6.1 for Node.js
- Monospace Directus 11.7.0 for Node.js
- Monospace Directus 11.7.1 for Node.js
- Monospace Directus 11.7.2 for Node.js
- Monospace Directus 11.8.0 for Node.js
- Monospace Directus 9.0.0 for Node.js
- Monospace Directus 9.0.0 Alpha 10 for Node.js
- Monospace Directus 9.0.0 Alpha 11 for Node.js
- Monospace Directus 9.0.0 Alpha 12 for Node.js
- Monospace Directus 9.0.0 Alpha 13 for Node.js
- Monospace Directus 9.0.0 Alpha 14 for Node.js
- Monospace Directus 9.0.0 Alpha 15 for Node.js
- Monospace Directus 9.0.0 Alpha 16 for Node.js
- Monospace Directus 9.0.0 Alpha 17 for Node.js
- Monospace Directus 9.0.0 Alpha 18 for Node.js
- Monospace Directus 9.0.0 Alpha 19 for Node.js
- Monospace Directus 9.0.0 Alpha 1 for Node.js
- Monospace Directus 9.0.0 Alpha 20 for Node.js
- Monospace Directus 9.0.0 Alpha 21 for Node.js
- Monospace Directus 9.0.0 Alpha 22 for Node.js
- Monospace Directus 9.0.0 Alpha 23 for Node.js
- Monospace Directus 9.0.0 Alpha 24 for Node.js
- Monospace Directus 9.0.0 Alpha 25 for Node.js
- Monospace Directus 9.0.0 Alpha 26 for Node.js
- Monospace Directus 9.0.0 Alpha 27 for Node.js
- Monospace Directus 9.0.0 Alpha 2 for Node.js
- Monospace Directus 9.0.0 Alpha 31 for Node.js
- Monospace Directus 9.0.0 Alpha 32 for Node.js
- Monospace Directus 9.0.0 Alpha 33 for Node.js
- Monospace Directus 9.0.0 Alpha 34 for Node.js
- Monospace Directus 9.0.0 Alpha 35 for Node.js
- Monospace Directus 9.0.0 Alpha 36 for Node.js
- Monospace Directus 9.0.0 Alpha 37 for Node.js
- Monospace Directus 9.0.0 Alpha 38 for Node.js
- +170 additional
Question to Ask Vendors:
- Can you confirm whether your systems are affected by CVE-2025-53886, and if so, what steps are you currently taking to mitigate this vulnerability?
- What is your estimated timeline for fully resolving CVE-2025-53886 in your products or services, and how will you communicate updates on this issue to us as your customer?
Recommended Actions:
- Check out the advisory links provided below.
References:
- http://webappsec.pbworks.com/Information-Leakage
- https://capec.mitre.org/data/definitions/116.html
- https://capec.mitre.org/data/definitions/13.html
- https://capec.mitre.org/data/definitions/169.html
- https://capec.mitre.org/data/definitions/22.html
- https://capec.mitre.org/data/definitions/224.html
- https://capec.mitre.org/data/definitions/285.html
- https://capec.mitre.org/data/definitions/287.html
- https://capec.mitre.org/data/definitions/290.html
- https://capec.mitre.org/data/definitions/291.html
- https://capec.mitre.org/data/definitions/292.html
- https://capec.mitre.org/data/definitions/293.html
- https://capec.mitre.org/data/definitions/294.html
- https://capec.mitre.org/data/definitions/295.html
- https://capec.mitre.org/data/definitions/296.html
- https://capec.mitre.org/data/definitions/297.html
- https://capec.mitre.org/data/definitions/298.html
- https://capec.mitre.org/data/definitions/299.html
- https://capec.mitre.org/data/definitions/300.html
- https://capec.mitre.org/data/definitions/301.html
- https://capec.mitre.org/data/definitions/302.html
- https://capec.mitre.org/data/definitions/303.html
- https://capec.mitre.org/data/definitions/304.html
- https://capec.mitre.org/data/definitions/305.html
- https://capec.mitre.org/data/definitions/306.html
- https://capec.mitre.org/data/definitions/307.html
- https://capec.mitre.org/data/definitions/308.html
- https://capec.mitre.org/data/definitions/309.html
- https://capec.mitre.org/data/definitions/310.html
- https://capec.mitre.org/data/definitions/312.html
- https://capec.mitre.org/data/definitions/313.html
- https://capec.mitre.org/data/definitions/317.html
- https://capec.mitre.org/data/definitions/318.html
- https://capec.mitre.org/data/definitions/319.html
- https://capec.mitre.org/data/definitions/320.html
- https://capec.mitre.org/data/definitions/321.html
- https://capec.mitre.org/data/definitions/322.html
- https://capec.mitre.org/data/definitions/323.html
- https://capec.mitre.org/data/definitions/324.html
- https://capec.mitre.org/data/definitions/325.html
- https://capec.mitre.org/data/definitions/326.html
- https://capec.mitre.org/data/definitions/327.html
- https://capec.mitre.org/data/definitions/328.html
- https://capec.mitre.org/data/definitions/329.html
- https://capec.mitre.org/data/definitions/330.html
- https://capec.mitre.org/data/definitions/472.html
- https://capec.mitre.org/data/definitions/497.html
- https://capec.mitre.org/data/definitions/508.html
- https://capec.mitre.org/data/definitions/573.html
- https://capec.mitre.org/data/definitions/574.html
- https://capec.mitre.org/data/definitions/575.html
- https://capec.mitre.org/data/definitions/576.html
- https://capec.mitre.org/data/definitions/577.html
- https://capec.mitre.org/data/definitions/59.html
- https://capec.mitre.org/data/definitions/60.html
- https://capec.mitre.org/data/definitions/616.html
- https://capec.mitre.org/data/definitions/643.html
- https://capec.mitre.org/data/definitions/646.html
- https://capec.mitre.org/data/definitions/651.html
- https://capec.mitre.org/data/definitions/79.html
- https://nvd.nist.gov/vuln/detail/CVE-2025-53886