Vulnerability Description
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming request details are logged including security sensitive data like access and refresh tokens in cookies. Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them triggering the Flow. Version 11.9.0 fixes the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Monospace | Directus | >= 9.0.0, < 11.9.0 |
Related Weaknesses (CWE)
References
- https://github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb0Patch
- https://github.com/directus/directus/pull/25354Patch
- https://github.com/directus/directus/releases/tag/v11.9.0Release Notes
- https://github.com/directus/directus/security/advisories/GHSA-f24x-rm6g-3w5vThird Party Advisory
FAQ
What is CVE-2025-53886?
CVE-2025-53886 is a vulnerability with a CVSS score of 4.5 (MEDIUM). Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming ...
How severe is CVE-2025-53886?
CVE-2025-53886 has been rated MEDIUM with a CVSS base score of 4.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-53886?
Check the references section above for vendor advisories and patch information. Affected products include: Monospace Directus.