CVE-2025-30353
HIGHDirectus 9.12.0-11.4.9 - Exposure of Sensitive Information via Webhook Flow ValidationError
Title source: llmDescription
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data. This issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse. Version 11.5.0 fixes the issue.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/directus/directus/security/advisories/GHSA-fm3h-p9wm-h74h
Scores
CVSS v3
8.6
EPSS
0.0036
EPSS Percentile
58.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (2)
monospace/directus
9.12.0 - 11.5.0
npm/directus
9.12.0 - 11.5.0npm
Published
Mar 26, 2025
Tracked Since
Feb 18, 2026