Summary
The exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the /server/specs/oas
endpoint without authentication.
Impact
With the exact version information a malicious attacker can look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version.
References:- https://github.com/directus/directus/security/advisories/GHSA-rmjh-cf9q-pv7q
- https://nvd.nist.gov/vuln/detail/CVE-2025-53887
- https://github.com/directus/directus/pull/25353
- https://github.com/directus/directus/commit/e74f3e4e92edc33b5f83eefb001a3d2a85af17a3
- https://github.com/directus/directus/releases/tag/v11.9.0
- https://github.com/advisories/GHSA-rmjh-cf9q-pv7q