SCA: security update for directus (GHSA-7cvf-pxgp-42fc)

medium Tenable Cloud Security Plugin ID 428401

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Directus is a real-time API and App dashboard for managing SQL database content. Starting in version
9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the
user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what
the Flow is set up to do this can lead to the Flow executing potential tasks on the attacker's behalf
without authenticating. Bad actors could execute the manual trigger Flows without authentication, or
access rights to the said collection(s) or item(s). Users with manual trigger Flows configured are
impacted as these endpoints do not currently validate if the user has read access to `directus_flows` or
to the relevant collection/items. The manual trigger Flows should have tighter security requirements as
compared to webhook Flows where users are expected to perform do their own checks. Version 11.9.0 fixes
the issue. As a workaround, implement permission checks for read access to Flows and read access to
relevant collection/items. (CVE-2025-53889)

See Also

https://github.com/advisories/GHSA-7cvf-pxgp-42fc

Plugin Details

Severity: Medium

ID: 428401

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 7/15/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.1

Percentile: 7.51

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2025-53889

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/15/2025

Vulnerability Publication Date: 7/14/2025

Reference Information

CVE: CVE-2025-53889