Directus' exact version number is exposed by the OpenAPI Spec

链接： https://github.com/advisories/GHSA-rmjh-cf9q-pv7q

仓库 Star： 31659

CVSS 评分： 5.3

参考链接：

https://github.com/directus/directus/security/advisories/GHSA-rmjh-cf9q-pv7q
https://nvd.nist.gov/vuln/detail/CVE-2025-53887
https://github.com/directus/directus/pull/25353
https://github.com/directus/directus/commit/e74f3e4e92edc33b5f83eefb001a3d2a85af17a3
https://github.com/directus/directus/releases/tag/v11.9.0
https://github.com/advisories/GHSA-rmjh-cf9q-pv7q

描述：

Summary

The exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the /server/specs/oas endpoint without authentication.

Impact

With the exact version information a malicious attacker can look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version.

安全公告

#Github Advisory

Directus' exact version number is exposed by the OpenAPI Spec

http://example.com/2025/07/15/github_4057124110/

作者

lianccc

发布于

2025年7月15日

许可协议

Directus tokens are not redacted in flow logs, exposing session credentials to all admin 上一篇

Printer Unauthorized Access Vulnerability 下一篇