CVE-2025-55746

Name of the Vulnerable Software and Affected Versions: Directus versions 10.8.0 through 11.9.2

Description: Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files' database-resident metadata) and/or upload new files, with arbitrary content and extensions, which won't show up in the Directus UI. This can lead to remote code execution if the server directly serves files from the upload directory. Exploitation requires knowledge of at least one file UUID. The vulnerability allows for potential impacts such as setting up phishing sites, poisoning hosted files, and achieving unauthenticated code execution on the server.

Recommendations: Directus versions prior to 11.9.3 are affected. Apply the latest Directus security patch addressing the vulnerability. Enforce MIME-type and content validation. Restrict executable file types. Implement a Web Application Firewall (WAF) to block suspicious upload requests and monitor for file extensions such as .php, .jsp, .asp, and .exe. Run Directus in isolated containers or VMs. Limit permissions on upload directories. Scan for existing webshells and audit logs for unusual upload activity.