CVE Tools
Sign in

CVE-2025-27089

Overlapping policies allow update to non-allowed fields in directus

Published: Feb 19, 2025Updated: Feb 27, 2025 Sources: CVE List NVD GHSACWE-863
NVD MITRE
5.4CVSSMEDIUM
EPSS Score
0.2%
Top 87.8%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

Directus is a real-time API and App dashboard for managing SQL database content. In affected versions if there are two overlapping policies for the `update` action that allow access to different fields, instead of correctly checking access permissions against the item they apply for the user is allowed to update the superset of fields allowed by any of the policies. E.g. have one policy allowing update access to `field_a` if the `id == 1` and one policy allowing update access to `field_b` if the `id == 2`. The user with both these policies is allowed to update both `field_a` and `field_b` for the items with ids `1` and `2`. Before v11, if a user was allowed to update an item they were allowed to update the fields that the single permission, that applied to that item, listed. With overlapping permissions this isn't as clear cut anymore and the union of fields might not be the fields the user is allowed to update for that specific item. The solution that this PR introduces is to evaluate the permissions for each field that the user tries to update in the validateItemAccess DB query, instead of only verifying access to the item as a whole. This is done by, instead of returning the actual field value, returning a flag that indicates if the user has access to that field. This uses the same case/when mechanism that is used for stripping out non permitted field that is at the core of the permissions engine. As a result, for every item that the access is validated for, the expected result is an item that has either 1 or null for all the "requested" fields instead of any of the actual field values. These results are not useful for anything other than verifying the field level access permissions. The final check in validateItemAccess can either fail if the number of items does not match the number of items the access is checked for (ie. the user does not have access to the item at all) or if not all of the passed in fields have access permissions for any of the returned items. This is a vulnerability that allows update access to unintended fields, potentially impacting the password field for user accounts. This has been addressed in version 11.1.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS Vector Breakdown

AV:NAC:LPR:LUI:NS:UC:LI:LA:N
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:LPrivileges Required
Low
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:LConfidentiality
Low
I:LIntegrity
Low
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-863

Affected Products

directusdirectus
Mixed
Web & CMS Plugins / cms-core
directusmonospace
Mixed
Web & CMS Plugins / cms-core
directusnpmOSS Libraries
@directus/apinpmOSS Libraries
directuscommercialWeb & CMS Pluginsaka @directus/api, directus api
monospacecommercialWeb & CMS Pluginsaka directus
npmpackage-ecosystemOSS Libraries

Attack Graph

Products CVE Techniques Tactics

Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.

Exploitability

Official Patch Available

MITRE ATT&CK

2 techniques
Initial Access
View detailed technique mapping

References

https://github.com/directus/directus/security/advisories/GHSA-99vm-5v2h-h6r6
github.com
https://github.com/directus/directus/releases/tag/v11.1.2
github.com
https://nvd.nist.gov/vuln/detail/CVE-2025-27089
nvd.nist.gov
and 2 more references View all →

Timeline

Published
Feb 19, 2025
Last Updated
Feb 27, 2025

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2025-27089 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows