CVE-2025-53885

Directus doesn't redact sensitive user data when logging via event hooks

Description

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the "Log to Console" operation and a template string. Malicious admins can log sensitive data from other users when they are created or updated. Version 11.9.0 contains a fix for the issue. As a workaround, avoid logging sensitive data to the console outside the context of development.

Category

4.2
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.01%
Third-Party Advisory github.com
Affected: directus directus
Published at:
Updated at:

References

Link Tags
https://github.com/directus/directus/security/advisories/GHSA-x3vm-88hf-gpxp third party advisory
https://github.com/directus/directus/pull/25355 patch
https://github.com/directus/directus/commit/859f664f56fb50401c407b095889cea38ff580e5 patch
https://github.com/directus/directus/releases/tag/v11.9.0 release notes

Frequently Asked Questions

What is the severity of CVE-2025-53885?
CVE-2025-53885 has been scored as a medium severity vulnerability.
How to fix CVE-2025-53885?
To fix CVE-2025-53885, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-53885 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-53885 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-53885?
CVE-2025-53885 affects directus directus.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.