CVE-2025-30353

Published Mar 26, 2025

Last updated 8 days ago

CVSS high 8.6

Overview

Description
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data. This issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse. Version 11.5.0 fixes the issue.
Source
security-advisories@github.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.6
Impact score
4
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-200

Social media

Hype score
Not currently trending

  1. 🚨 CVE-2025-30353 🔴 HIGH (8.6) 🏢 directus - directus 🏗️ >= 9.12.0, < 11.5.0 🔗 https://t.co/ZFE9XwcliU #CyberCron #VulnAlert #InfoSec https://t.co/KUFYolFCUe

    @cybercronai

    29 Mar 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Critical Alert: CVE-2025-30353 exposes sensitive data in Directus webhook flows—unauthorized access to API triggers. Patch immediately or disable vulnerable webhooks. Full details: https://t.co/9gA8KVtQrK #CyberSecurity #APISecurity

    @adriananglin

    28 Mar 2025

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. ⚡️The vulnerability details are now available: https://t.co/BDvEkKymip 🚨🚨CVE-2025-30353 (CVSS 8.6) in Directus! Webhook trigger flows are spilling the tea—sensitive data like environmental variables, API keys, user info, and operational data leaking when a ValidationError htt

    @zoomeye_team

    28 Mar 2025

    485 Impressions

    0 Retweets

    8 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  4. CVE-2025-30353 Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the "Webhook… https://t.co/vfBAraDnUn

    @CVEnew

    26 Mar 2025

    139 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. [CVE-2025-30353: HIGH] Vulnerable Directus versions expose sensitive data in API responses, a significant cybersecurity risk. Update to version 11.5.0 to fix this issue in the real-time API and App dashboard.#cybersecurity,#vulnerability https://t.co/fGUGF0ydTt https://t.co/Fbz4M

    @CveFindCom

    26 Mar 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References