CVE-2025-53886
MEDIUM4.5EPSS 0.31%Directus tokens are not redacted in flow logs, exposing session credentials to all admin
發布日:2025/7/15修改日:2025/7/15
描述
### Summary When using Directus Flows with the WebHook trigger, all incoming request details are logged including security sensitive data like access and refresh tokens in cookies. ### Impact Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them triggering the Flow.
受影響套件(1)
- npm/directusfrom 0, < 11.9.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-53886
- PATCHhttps://github.com/directus/directus
- WEBhttps://github.com/directus/directus/commit/859f664f56fb50401c407b095889cea38ff580e5
- WEBhttps://github.com/directus/directus/releases/tag/v11.9.0
- WEBhttps://github.com/directus/directus/security/advisories/GHSA-f24x-rm6g-3w5v