CVE-2025-55746

Name of the Vulnerable Software and Affected Versions: Directus versions 10.8.0 through 11.9.3

Description: Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files' database-resident metadata) and / or upload new files, with arbitrary content and extensions, which won't show up in the Directus UI. This can lead to remote code execution if the server directly serves files from the upload directory. The vulnerability allows attackers to upload webshells, potentially gaining full control of the underlying server. The vulnerability requires knowledge of at least one file UUID to exploit. The impact can range from setting up phishing sites to poisoning hosted files and gaining access to internal services.

Recommendations: Apply the latest Directus security patch addressing this vulnerability. Enforce MIME-type and content validation. Restrict executable file types. Isolate Directus in containers or VMs and limit permissions on upload directories. Scan for existing webshells and audit logs for unusual upload activity.