Description
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, the exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the `/server/specs/oas` endpoint without authentication. With the exact version information a malicious attacker can look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version. Version 11.9.0 fixes the issue.
Product(s):
- Monospace Directus for Node.js
- Monospace Directus 10.10.0 for Node.js
- Monospace Directus 10.10.1 for Node.js
- Monospace Directus 10.10.2 for Node.js
- Monospace Directus 10.10.3 for Node.js
- Monospace Directus 10.10.4 for Node.js
- Monospace Directus 10.10.5 for Node.js
- Monospace Directus 10.10.6 for Node.js
- Monospace Directus 10.10.7 for Node.js
- Monospace Directus 10.11.0 for Node.js
- Monospace Directus 10.11.1 for Node.js
- Monospace Directus 10.11.2 for Node.js
- Monospace Directus 10.12.0 for Node.js
- Monospace Directus 10.12.1 for Node.js
- Monospace Directus 10.13.0 for Node.js
- Monospace Directus 10.13.1 for Node.js
- Monospace Directus 10.13.2 for Node.js
- Monospace Directus 10.13.3 for Node.js
- Monospace Directus 10.13.4 for Node.js
- Monospace Directus 10.3.0 for Node.js
- Monospace Directus 10.4.0 for Node.js
- Monospace Directus 10.4.2 for Node.js
- Monospace Directus 10.4.3 for Node.js
- Monospace Directus 10.5.0 for Node.js
- Monospace Directus 10.5.1 for Node.js
- Monospace Directus 10.5.2 for Node.js
- Monospace Directus 10.5.3 for Node.js
- Monospace Directus 10.6.1 for Node.js
- Monospace Directus 10.6.2 for Node.js
- Monospace Directus 10.6.3 for Node.js
- Monospace Directus 10.6.4 for Node.js
- Monospace Directus 10.7.0 - for Node.js
- Monospace Directus 10.7.0 Beta 0 for Node.js
- Monospace Directus 10.7.1 for Node.js
- Monospace Directus 10.7.2 for Node.js
- Monospace Directus 10.8.0 for Node.js
- Monospace Directus 10.8.1 for Node.js
- Monospace Directus 10.8.2 for Node.js
- Monospace Directus 10.8.3 for Node.js
- Monospace Directus 10.9.0 for Node.js
- Monospace Directus 10.9.1 for Node.js
- Monospace Directus 10.9.2 for Node.js
- Monospace Directus 10.9.3 for Node.js
- Monospace Directus 11.0.0 for Node.js
- Monospace Directus 11.0.0 Release Candidate 1 for Node.js
- Monospace Directus 11.0.0 Release Candidate 2 for Node.js
- Monospace Directus 11.0.0 Release Candidate 3 for Node.js
- Monospace Directus 11.0.1 for Node.js
- Monospace Directus 11.0.2 for Node.js
- Monospace Directus 11.1.0 for Node.js
- Monospace Directus 11.1.1 for Node.js
- Monospace Directus 11.1.2 for Node.js
- Monospace Directus 11.2.0 for Node.js
- Monospace Directus 11.2.1 for Node.js
- Monospace Directus 11.2.2 for Node.js
- Monospace Directus 11.3.0 for Node.js
- Monospace Directus 11.3.1 for Node.js
- Monospace Directus 11.3.2 for Node.js
- Monospace Directus 11.3.3 for Node.js
- Monospace Directus 11.3.4 for Node.js
- Monospace Directus 11.3.5 for Node.js
- Monospace Directus 11.4.0 for Node.js
- Monospace Directus 11.4.1 for Node.js
- Monospace Directus 11.5.0 for Node.js
- Monospace Directus 11.5.1 for Node.js
- Monospace Directus 11.6.0 for Node.js
- Monospace Directus 11.6.1 for Node.js
- Monospace Directus 11.7.0 for Node.js
- Monospace Directus 11.7.1 for Node.js
- Monospace Directus 11.7.2 for Node.js
- Monospace Directus 11.8.0 for Node.js
- Monospace Directus 9.0.0 for Node.js
- Monospace Directus 9.0.0 Alpha 10 for Node.js
- Monospace Directus 9.0.0 Alpha 11 for Node.js
- Monospace Directus 9.0.0 Alpha 12 for Node.js
- Monospace Directus 9.0.0 Alpha 13 for Node.js
- Monospace Directus 9.0.0 Alpha 14 for Node.js
- Monospace Directus 9.0.0 Alpha 15 for Node.js
- Monospace Directus 9.0.0 Alpha 16 for Node.js
- Monospace Directus 9.0.0 Alpha 17 for Node.js
- Monospace Directus 9.0.0 Alpha 18 for Node.js
- Monospace Directus 9.0.0 Alpha 19 for Node.js
- Monospace Directus 9.0.0 Alpha 1 for Node.js
- Monospace Directus 9.0.0 Alpha 20 for Node.js
- Monospace Directus 9.0.0 Alpha 21 for Node.js
- Monospace Directus 9.0.0 Alpha 22 for Node.js
- Monospace Directus 9.0.0 Alpha 23 for Node.js
- Monospace Directus 9.0.0 Alpha 24 for Node.js
- Monospace Directus 9.0.0 Alpha 25 for Node.js
- Monospace Directus 9.0.0 Alpha 26 for Node.js
- Monospace Directus 9.0.0 Alpha 27 for Node.js
- Monospace Directus 9.0.0 Alpha 2 for Node.js
- Monospace Directus 9.0.0 Alpha 31 for Node.js
- Monospace Directus 9.0.0 Alpha 32 for Node.js
- Monospace Directus 9.0.0 Alpha 33 for Node.js
- Monospace Directus 9.0.0 Alpha 34 for Node.js
- Monospace Directus 9.0.0 Alpha 35 for Node.js
- Monospace Directus 9.0.0 Alpha 36 for Node.js
- Monospace Directus 9.0.0 Alpha 37 for Node.js
- Monospace Directus 9.0.0 Alpha 38 for Node.js
- +170 additional
Question to Ask Vendors:
- Can you confirm whether your systems are affected by CVE-2025-53887, and if so, what steps are you currently taking to mitigate this vulnerability?
- What is your estimated timeline for fully resolving CVE-2025-53887 in your products or services, and how will you communicate updates on this issue to us as your customer?
Recommended Actions:
- Check out the advisory links provided below.
References:
- http://webappsec.pbworks.com/Information-Leakage
- https://capec.mitre.org/data/definitions/116.html
- https://capec.mitre.org/data/definitions/13.html
- https://capec.mitre.org/data/definitions/169.html
- https://capec.mitre.org/data/definitions/22.html
- https://capec.mitre.org/data/definitions/224.html
- https://capec.mitre.org/data/definitions/285.html
- https://capec.mitre.org/data/definitions/287.html
- https://capec.mitre.org/data/definitions/290.html
- https://capec.mitre.org/data/definitions/291.html
- https://capec.mitre.org/data/definitions/292.html
- https://capec.mitre.org/data/definitions/293.html
- https://capec.mitre.org/data/definitions/294.html
- https://capec.mitre.org/data/definitions/295.html
- https://capec.mitre.org/data/definitions/296.html
- https://capec.mitre.org/data/definitions/297.html
- https://capec.mitre.org/data/definitions/298.html
- https://capec.mitre.org/data/definitions/299.html
- https://capec.mitre.org/data/definitions/300.html
- https://capec.mitre.org/data/definitions/301.html
- https://capec.mitre.org/data/definitions/302.html
- https://capec.mitre.org/data/definitions/303.html
- https://capec.mitre.org/data/definitions/304.html
- https://capec.mitre.org/data/definitions/305.html
- https://capec.mitre.org/data/definitions/306.html
- https://capec.mitre.org/data/definitions/307.html
- https://capec.mitre.org/data/definitions/308.html
- https://capec.mitre.org/data/definitions/309.html
- https://capec.mitre.org/data/definitions/310.html
- https://capec.mitre.org/data/definitions/312.html
- https://capec.mitre.org/data/definitions/313.html
- https://capec.mitre.org/data/definitions/317.html
- https://capec.mitre.org/data/definitions/318.html
- https://capec.mitre.org/data/definitions/319.html
- https://capec.mitre.org/data/definitions/320.html
- https://capec.mitre.org/data/definitions/321.html
- https://capec.mitre.org/data/definitions/322.html
- https://capec.mitre.org/data/definitions/323.html
- https://capec.mitre.org/data/definitions/324.html
- https://capec.mitre.org/data/definitions/325.html
- https://capec.mitre.org/data/definitions/326.html
- https://capec.mitre.org/data/definitions/327.html
- https://capec.mitre.org/data/definitions/328.html
- https://capec.mitre.org/data/definitions/329.html
- https://capec.mitre.org/data/definitions/330.html
- https://capec.mitre.org/data/definitions/472.html
- https://capec.mitre.org/data/definitions/497.html
- https://capec.mitre.org/data/definitions/508.html
- https://capec.mitre.org/data/definitions/573.html
- https://capec.mitre.org/data/definitions/574.html
- https://capec.mitre.org/data/definitions/575.html
- https://capec.mitre.org/data/definitions/576.html
- https://capec.mitre.org/data/definitions/577.html
- https://capec.mitre.org/data/definitions/59.html
- https://capec.mitre.org/data/definitions/60.html
- https://capec.mitre.org/data/definitions/616.html
- https://capec.mitre.org/data/definitions/643.html
- https://capec.mitre.org/data/definitions/646.html
- https://capec.mitre.org/data/definitions/651.html
- https://capec.mitre.org/data/definitions/79.html
- https://nvd.nist.gov/vuln/detail/CVE-2025-53887