Vulnerability Description
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the "Log to Console" operation and a template string. Malicious admins can log sensitive data from other users when they are created or updated. Version 11.9.0 contains a fix for the issue. As a workaround, avoid logging sensitive data to the console outside the context of development.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Monospace | Directus | >= 9.0.0, < 11.9.0 |
Related Weaknesses (CWE)
References
- https://github.com/directus/directus/commit/859f664f56fb50401c407b095889cea38ff5Patch
- https://github.com/directus/directus/pull/25355Patch
- https://github.com/directus/directus/releases/tag/v11.9.0Release Notes
- https://github.com/directus/directus/security/advisories/GHSA-x3vm-88hf-gpxpThird Party Advisory
FAQ
What is CVE-2025-53885?
CVE-2025-53885 is a vulnerability with a CVSS score of 4.2 (MEDIUM). Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows to handle CRUD events for users it is ...
How severe is CVE-2025-53885?
CVE-2025-53885 has been rated MEDIUM with a CVSS base score of 4.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-53885?
Check the references section above for vendor advisories and patch information. Affected products include: Monospace Directus.