CVE-2025-30353

描述

### Describe the Bug In Directus, when a **Flow** with the "_Webhook_" trigger and the "_Data of Last Operation_" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data. This issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse.    ### To Reproduce **Steps to Reproduce:** 1. Create a Flow in Directus with: - Trigger: Webhook - Response Body: Data of Last Operation 2. Add a condition that is likely to fail. 3. Trigger the Flow with any input data that will fail the condition. 4. Observe the API response, which includes sensitive information like: - Environmental variables (`$env`) - Authorization headers - User details under `$accountability` - Previous operational data. **Expected Behavior:** In the event of a ValidationError, the API response should only contain relevant error messages and details, avoiding the exposure of sensitive data. **Actual Behavior:** The API response includes sensitive information such as: - Environment keys (`FLOWS_ENV_ALLOW_LIST`) - User accountability (`role`, `user`, etc.) - Operational logs (`current_payments`, `$last`), which might contain private details.

受影響套件(1)

• npm/directus>= 9.12.0, < 11.5.0

CVSS 分數

參考連結(3)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-30353
• PATCHhttps://github.com/directus/directus
• WEBhttps://github.com/directus/directus/security/advisories/GHSA-fm3h-p9wm-h74h