一、 漏洞 CVE-2025-53889 基础信息
漏洞信息
                                        # Directus 缺少对手动触发流程的权限检查

N/A
提示
尽管我们采用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
Directus missing permission checks for manual trigger Flows
来源:美国国家漏洞数据库 NVD
漏洞描述信息
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what the Flow is set up to do this can lead to the Flow executing potential tasks on the attacker's behalf without authenticating. Bad actors could execute the manual trigger Flows without authentication, or access rights to the said collection(s) or item(s). Users with manual trigger Flows configured are impacted as these endpoints do not currently validate if the user has read access to `directus_flows` or to the relevant collection/items. The manual trigger Flows should have tighter security requirements as compared to webhook Flows where users are expected to perform do their own checks. Version 11.9.0 fixes the issue. As a workaround, implement permission checks for read access to Flows and read access to relevant collection/items.
来源:美国国家漏洞数据库 NVD
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
来源:美国国家漏洞数据库 NVD
漏洞类别
认证机制不恰当
来源:美国国家漏洞数据库 NVD
二、漏洞 CVE-2025-53889 的公开POC
# POC 描述 源链接 神龙链接
三、漏洞 CVE-2025-53889 的情报信息

  • 标题: Release v11.9.0 · directus/directus · GitHub -- 🔗来源链接

    标签: x_refsource_MISC

    神龙速读
    Release v11.9.0 · directus/directus · GitHub

  • 标题: Missing permission checks for manual trigger Flows · Advisory · directus/directus · GitHub -- 🔗来源链接

    标签: x_refsource_CONFIRM

    神龙速读
    Missing permission checks for manual trigger Flows · Advisory · directus/directus · GitHub

  • 标题: Fix manual flows to only trigger with appropriate permissions (#25354) · directus/directus@22be460 · GitHub -- 🔗来源链接

    标签: x_refsource_MISC

    神龙速读
    Fix manual flows to only trigger with appropriate permissions (#25354) · directus/directus@22be460 · GitHub
  • https://nvd.nist.gov/vuln/detail/CVE-2025-53889