CVE-2025-30353 Overview
CVE-2025-30353 is an information disclosure vulnerability in Directus, the open-source real-time API and dashboard for managing SQL database content. The flaw affects versions 9.12.0 through 11.4.x. When a Flow configured with a "Webhook" trigger and "Data of Last Operation" response body encounters a ValidationError from a failed condition operation, the API response leaks sensitive runtime data. Exposed content includes environment variables, API keys, user accountability data, and internal operational state. The maintainers fixed the issue in version 11.5.0.
Critical Impact
Unauthenticated network attackers can trigger validation errors in webhook-triggered Flows to retrieve environment variables, API keys, and accountability data from Directus instances.
Affected Products
- Monospace Directus versions 9.12.0 through 11.4.x (Node.js)
- Directus deployments using Flows with Webhook triggers
- Directus instances configured with "Data of Last Operation" response body
Discovery Timeline
- 2025-03-26 - CVE-2025-30353 published to NVD
- 2025-08-26 - Last updated in NVD database
Technical Details for CVE-2025-30353
Vulnerability Analysis
The vulnerability resides in how Directus Flows handle errors in webhook-triggered automations. Directus Flows allow administrators to chain operations such as condition checks, data transformations, and notifications behind an HTTP webhook trigger. When the Flow is configured to return the "Data of Last Operation" as the HTTP response body, the runtime serializes the most recent operation context back to the caller.
When a condition operation fails its check, Directus throws a ValidationError. Instead of returning a sanitized error payload, the Flow engine includes the entire operation context in the response. This context contains the accumulated $trigger, $accountability, $env, and prior operation outputs. Sensitive material such as database credentials, JWT secrets, third-party API tokens, and the requesting user's session metadata becomes part of the HTTP response body. The defect maps to [CWE-200: Exposure of Sensitive Information to an Unauthorized Actor].
Root Cause
The root cause is improper error response construction in the Flow execution pipeline. The webhook handler does not differentiate between successful operation output and error-state internal context when serializing the "Data of Last Operation" response. Validation errors propagate the unfiltered operation environment to the HTTP layer.
Attack Vector
An unauthenticated attacker reachable over the network identifies a webhook-triggered Flow endpoint on a Directus instance. The attacker crafts a request with payload values designed to fail the Flow's condition operation. The resulting ValidationError causes Directus to return the internal operation context, including environment variables and secrets, in the HTTP response body. No authentication or user interaction is required.
The vulnerability requires the target Flow to use the "Webhook" trigger and have its response body set to "Data of Last Operation." See the GitHub Security Advisory GHSA-fm3h-p9wm-h74h for additional technical details.
Detection Methods for CVE-2025-30353
Indicators of Compromise
- HTTP responses from Directus /flows/trigger/{id} endpoints containing keys such as $env, $accountability, or environment variable names
- Repeated webhook requests from a single source producing ValidationError responses
- Outbound responses with abnormally large payloads from Flow webhook endpoints
Detection Strategies
- Inspect Directus application logs for sequences of ValidationError events tied to webhook-triggered Flows
- Deploy WAF or reverse proxy rules that scan outbound Directus responses for known secret patterns and environment variable names
- Audit existing Flows and identify those that combine a Webhook trigger with the "Data of Last Operation" response body setting
Monitoring Recommendations
- Forward Directus access and application logs to a centralized SIEM and alert on repeated 4xx responses to /flows/trigger/ paths
- Monitor for unusual response sizes or response bodies containing JSON keys associated with Directus internals
- Track the version of deployed Directus instances and alert on any running a release earlier than 11.5.0
How to Mitigate CVE-2025-30353
Immediate Actions Required
- Upgrade all Directus deployments to version 11.5.0 or later
- Inventory Flows configured with the Webhook trigger and "Data of Last Operation" response body and review their exposure
- Rotate environment secrets, API keys, and tokens that may have been disclosed through vulnerable Flow responses
Patch Information
Directus version 11.5.0 resolves CVE-2025-30353 by sanitizing Flow webhook responses so that validation errors no longer expose internal operation context. Refer to the GitHub Security Advisory GHSA-fm3h-p9wm-h74h for the official fix details and upgrade guidance.
Workarounds
- Change the affected Flow's response body from "Data of Last Operation" to a static or explicitly defined response payload
- Restrict access to webhook-triggered Flow endpoints using network controls, authentication proxies, or IP allow-lists
- Disable non-essential webhook-triggered Flows until the Directus instance is upgraded to 11.5.0
# Configuration example: upgrade Directus to a fixed version
npm install directus@11.5.0
# Or with Docker
docker pull directus/directus:11.5.0
docker compose up -d
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
