CVE-2025-55746 CRITICAL

CVE-2025-55746: Directus allows unauthenticated file upload and file modification due to lacking input sanitization

Vendor Directus
Product directus
Weakness CWE-73
Published August 20, 2025
Last update August 20, 2025

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L

What the vulnerability does

01Description

Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files' database-resident metadata) and / or upload new files, with arbitrary content and extensions, which won't show up in the Directus UI. This vulnerability is fixed in 11.9.3.

Key dates

02Disclosure timeline

August 20, 2025 CVE published
August 20, 2025 Record updated