CVE-2025-55746

CRITICAL

Directus <11.9.3 - File Upload

Title source: llm

Description

Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files' database-resident metadata) and / or upload new files, with arbitrary content and extensions, which won't show up in the Directus UI. This vulnerability is fixed in 11.9.3.

Exploits (1)

nomisec WRITEUP 1 stars
by r4bbit-r4 · poc
https://github.com/r4bbit-r4/directus-preso

References (2)

Scores

CVSS v3 9.3
EPSS 0.0007
EPSS Percentile 22.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L

Details

CWE
CWE-434 CWE-73
Status published
Products (3)
directus/api 14.1.0 - 28.0.2npm
monospace/directus 10.8.0 - 11.9.3
npm/directus 10.8.0 - 11.9.3npm
Published Aug 20, 2025
Tracked Since Feb 18, 2026