SCA: security update for @directus/api, directus (GHSA-99vm-5v2h-h6r6)

medium Tenable Cloud Security Plugin ID 420920

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Directus is a real-time API and App dashboard for managing SQL database content. In affected versions if
there are two overlapping policies for the `update` action that allow access to different fields, instead
of correctly checking access permissions against the item they apply for the user is allowed to update the
superset of fields allowed by any of the policies. E.g. have one policy allowing update access to
`field_a` if the `id == 1` and one policy allowing update access to `field_b` if the `id == 2`. The user
with both these policies is allowed to update both `field_a` and `field_b` for the items with ids `1` and
`2`. Before v11, if a user was allowed to update an item they were allowed to update the fields that the
single permission, that applied to that item, listed. With overlapping permissions this isn't as clear cut
anymore and the union of fields might not be the fields the user is allowed to update for that specific
item. The solution that this PR introduces is to evaluate the permissions for each field that the user
tries to update in the validateItemAccess DB query, instead of only verifying access to the item as a
whole. This is done by, instead of returning the actual field value, returning a flag that indicates if
the user has access to that field. This uses the same case/when mechanism that is used for stripping out
non permitted field that is at the core of the permissions engine. As a result, for every item that the
access is validated for, the expected result is an item that has either 1 or null for all the "requested"
fields instead of any of the actual field values. These results are not useful for anything other than
verifying the field level access permissions. The final check in validateItemAccess can either fail if the
number of items does not match the number of items the access is checked for (ie. the user does not have
access to the item at all) or if not all of the passed in fields have access permissions for any of the
returned items. This is a vulnerability that allows update access to unintended fields, potentially
impacting the password field for user accounts. This has been addressed in version 11.1.2 and all users
are advised to upgrade. There are no known workarounds for this vulnerability. (CVE-2025-27089)

See Also

https://github.com/advisories/GHSA-99vm-5v2h-h6r6

Plugin Details

Severity: Medium

ID: 420920

Version: Revision 1.11

Type: Local

Family: SCA Checks

Published: 2/19/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2025-27089

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/19/2025

Vulnerability Publication Date: 2/19/2025

Reference Information

CVE: CVE-2025-27089

cwe: CWE-863