Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1mMjR4LXJtNmctM3c1ds4ABKKH

Moderate EPSS: 0.00037% (0.09897 Percentile) EPSS:
Permalink JSON

Directus tokens are not redacted in flow logs, exposing session credentials to all admin

Affected Packages Affected Versions Fixed Versions
npm:directus < 11.9.0 11.9.0
16 Dependent packages
115 Dependent repositories
39,960 Downloads last month

Affected Version Ranges

All affected versions

9.0.0, 9.0.1, 9.1.0, 9.1.1, 9.1.2, 9.2.0, 9.2.1, 9.2.2, 9.3.0, 9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.5.0, 9.5.1, 9.5.2, 9.6.0, 9.7.0, 9.7.1, 9.8.0, 9.9.0, 9.9.1, 9.10.0, 9.11.0, 9.11.1, 9.12.0, 9.12.1, 9.12.2, 9.13.0, 9.14.0, 9.14.1, 9.14.2, 9.14.3, 9.14.5, 9.15.0, 9.15.1, 9.16.0, 9.16.1, 9.17.0, 9.17.1, 9.17.2, 9.17.3, 9.17.4, 9.18.0, 9.18.1, 9.19.0, 9.19.1, 9.19.2, 9.20.0, 9.20.1, 9.20.2, 9.20.3, 9.20.4, 9.21.0, 9.21.2, 9.22.0, 9.22.1, 9.22.3, 9.22.4, 9.23.1, 9.23.3, 9.23.4, 9.24.0, 9.25.0, 9.25.1, 9.25.2, 9.26.0, 10.0.0, 10.1.0, 10.1.1, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.4.1, 10.4.2, 10.4.3, 10.5.0, 10.5.1, 10.5.2, 10.5.3, 10.6.0, 10.6.1, 10.6.2, 10.6.3, 10.6.4, 10.7.0, 10.7.1, 10.7.2, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.9.0, 10.9.1, 10.9.2, 10.9.3, 10.10.0, 10.10.1, 10.10.2, 10.10.3, 10.10.4, 10.10.5, 10.10.6, 10.10.7, 10.11.0, 10.11.1, 10.11.2, 10.12.0, 10.12.1, 10.13.0, 10.13.1, 10.13.2, 10.13.4, 11.0.0, 11.0.1, 11.0.2, 11.1.0, 11.1.1, 11.1.2, 11.2.0, 11.2.1, 11.2.2, 11.3.0, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 11.3.5, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.6.0, 11.6.1, 11.7.0, 11.7.1, 11.7.2, 11.8.0

All unaffected versions

11.9.0, 11.9.1, 11.9.2, 11.9.3

Summary

When using Directus Flows with the WebHook trigger, all incoming request details are logged including security sensitive data like access and refresh tokens in cookies.

Impact

Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them triggering the Flow.

References:

Identifiers

GHSA-f24x-rm6g-3w5v

CVE-2025-53886

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00037

EPSS Percentile: 0.09897

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/directus/directus

Date and time

Published

14 days ago

Updated

14 days ago

API

JSON