Directus tokens are not redacted in flow logs, exposing session credentials to all admin

链接： https://github.com/advisories/GHSA-f24x-rm6g-3w5v

仓库 Star： 31659

CVSS 评分： 4.5

参考链接：

https://github.com/directus/directus/security/advisories/GHSA-f24x-rm6g-3w5v
https://nvd.nist.gov/vuln/detail/CVE-2025-53886
https://github.com/directus/directus/commit/859f664f56fb50401c407b095889cea38ff580e5
https://github.com/directus/directus/releases/tag/v11.9.0
https://github.com/advisories/GHSA-f24x-rm6g-3w5v

描述：

Summary

When using Directus Flows with the WebHook trigger, all incoming request details are logged including security sensitive data like access and refresh tokens in cookies.

Impact

Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them triggering the Flow.

安全公告

#Github Advisory

Directus tokens are not redacted in flow logs, exposing session credentials to all admin

http://example.com/2025/07/15/github_3233943166/

作者

lianccc

发布于

2025年7月15日

许可协议

Directus is vulnerable to sensitive data exposure as user data is not being redacted when logged 上一篇

Directus' exact version number is exposed by the OpenAPI Spec 下一篇