Directus is vulnerable to sensitive data exposure as user data is not being redacted when logged

链接： https://github.com/advisories/GHSA-x3vm-88hf-gpxp

仓库 Star： 31659

CVSS 评分： 4.2

参考链接：

https://github.com/directus/directus/security/advisories/GHSA-x3vm-88hf-gpxp
https://nvd.nist.gov/vuln/detail/CVE-2025-53885
https://github.com/directus/directus/pull/25355
https://github.com/directus/directus/commit/859f664f56fb50401c407b095889cea38ff580e5
https://github.com/directus/directus/releases/tag/v11.9.0
https://github.com/advisories/GHSA-x3vm-88hf-gpxp

描述：

Summary

When using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the “Log to Console” operation and a template string.

Impact

Malicious admins can log sensitive data from other users when they are created or updated.

Workarounds

Avoid logging sensitive data to the console outside the context of development.

安全公告

#Github Advisory

Directus is vulnerable to sensitive data exposure as user data is not being redacted when logged

http://example.com/2025/07/15/github_2596801802/

作者

lianccc

发布于

2025年7月15日

许可协议

CVE-2025-5349 Vulnerability Scanner 上一篇

Directus tokens are not redacted in flow logs, exposing session credentials to all admin 下一篇