CVE-2025-55746 — External Control of File Name or Path in Directus

CWE-73 — External Control of File Name or Path CWE-434 — Unrestricted File Upload3 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 77.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Monospace Directus Directus API Directus

Timeline

PublishedAug 20

Description

Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files' database-resident metadata) and / or upload new files, with arbitrary content and extensions, which won't show up in the Directus UI. This vulnerability is fixed in 11.9.3.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶npmdirectus/api14.1.0 — 28.0.2

▶npmdirectus/directus10.8.0 — 11.9.3

▶NVDmonospace/directus10.8.0 — 11.9.3

▶CVEListV5directus/directus>= 10.8.0, < 11.9.3

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

Directus allows unauthenticated file upload and file modification due to lacking input sanitization↗2025-08-20

▶

OSV

Directus allows unauthenticated file upload and file modification due to lacking input sanitization↗2025-08-20

▶