CVE-2025-30353
published 2025-03-26CVE-2025-30353: Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the…
PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.51%
39.3th percentile
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data. This issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse. Version 11.5.0 fixes the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| directus | directus | — | — |
| directus | directus | >= 9.12.0 < 11.5.0 | 11.5.0 |
| monospace | directus | >= 9.12.0 < 11.5.0 | 11.5.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Directus's webhook trigger flows can leak sensitive data
osv·2025-03-26
CVE-2025-30353 [HIGH] Directus's webhook trigger flows can leak sensitive data
Directus's webhook trigger flows can leak sensitive data
### Describe the Bug
In Directus, when a **Flow** with the "_Webhook_" trigger and the "_Data of Last Operation_" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data.
This issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse.
### To Reproduce
**Steps to Reproduce:**
1. Create a Flow in Directus with:
- Trigger: Webhook
- Response Body: Data of Last Operation
2. Add a condition that is likely to fail.
3. Trigger the Flow with any input data that will fail the condition.
4. Observe the API
GHSA
Directus's webhook trigger flows can leak sensitive data
ghsa·2025-03-26
CVE-2025-30353 [HIGH] CWE-200 Directus's webhook trigger flows can leak sensitive data
Directus's webhook trigger flows can leak sensitive data
### Describe the Bug
In Directus, when a **Flow** with the "_Webhook_" trigger and the "_Data of Last Operation_" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data.
This issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse.
### To Reproduce
**Steps to Reproduce:**
1. Create a Flow in Directus with:
- Trigger: Webhook
- Response Body: Data of Last Operation
2. Add a condition that is likely to fail.
3. Trigger the Flow with any input data that will fail the condition.
4. Observe the API
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-26
Published