CVE-2025-24353: Directus privilege escalation vulnerability using Share feature
First published: Thu Jan 23 2025(Updated: )
### Summary When sharing an item, user can specify an arbitrary role. It allows user to use a higher-privileged role to see fields that otherwise the user should not be able to see. ### Details Specifying `role` on share should be available only for admins. The current flow has a security flaw. Each other role should allow to share only in the context of the same role. As there is no role hierarchy in Directus, it is impossible to tell which role is _higher_ or _lower_, so only admins should be able to specify the role for share. Optionally, instead of specifying a role, shareer* should be able to specify which fields (limited to fields shareer sees) are available on shared item. Similarily to import. *_shareer_ - a person that creates a share link to item ### PoC 1. Create a collection with a secret field. 2. Create role A that sees the secret field 3. Create role B that does not see the secret field, but can use share feature. 4. Create item with secret field filled. 5. Use account with role B to share the object as role A and gain unauthorized access to secret value. Here's video example: https://www.youtube.com/watch?v=DbV4IxbWzN4 I had to upload it to YouTube, because GitHub allows only 10MB videos. ### Impact Impacted are instances that use the share feature and have specific roles hierarchy and fields that are not visible for certain roles.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| npm/directus | <11.2.0 | 11.2.0 |
| Directus | <11.2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/directus/directus/security/advisories/GHSA-pmf4-v838-29hg
- https://github.com/directus/directus/pull/23716
- https://github.com/directus/directus/commit/e288a43a79613dada905da683f4919c6965ac804
- https://github.com/directus/directus/releases/tag/v11.2.0
- https://www.youtube.com/watch?v=DbV4IxbWzN4
- https://nvd.nist.gov/vuln/detail/CVE-2025-24353
- https://github.com/advisories/GHSA-pmf4-v838-29hg (Advisory)
Frequently Asked Questions
What is the severity of CVE-2025-24353?
CVE-2025-24353 is considered a high severity vulnerability due to its potential to expose sensitive information through unauthorized access to privileged roles.
How do I fix CVE-2025-24353?
To fix CVE-2025-24353, ensure that the role specification feature is restricted to admin users only by updating your Directus installation to a version higher than 11.2.0.
What types of systems are affected by CVE-2025-24353?
CVE-2025-24353 affects the Directus software versions up to 11.2.0.
Can CVE-2025-24353 be exploited by regular users?
Yes, CVE-2025-24353 can be exploited by regular users if they are able to specify arbitrary roles when sharing items, leading to unauthorized visibility of fields.
What are the potential consequences of CVE-2025-24353?
The consequences of CVE-2025-24353 include unauthorized access to sensitive data, which could result in data leaks and compromised user privacy.
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/title
- agent/type
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/severity
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-pmf4-v838-29hg
- alias/CVE-2025-24353
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/description
- agent/event
- collector/nvd-cve
- agent/author
- agent/source
- agent/guess-ai
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/github-advisory
- package-manager/npm
- vendor/directus
- canonical/directus