CVE-2025-30353

Name of the Vulnerable Software and Affected Versions Directus versions 9.12.0 through 11.4.0

Description Directus is a real-time API and App dashboard for managing SQL database content. When a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data. This issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse.

Recommendations To resolve the issue, update to version 11.5.0 or later. As a temporary workaround, consider disabling the "Webhook" trigger in Flows that use the "Data of Last Operation" response body to minimize the risk of exploitation. Restrict access to sensitive data and operational logs to prevent unauthorized exposure. Avoid using the env variable and other sensitive parameters in the affected API endpoint until the issue is resolved.