CVE-2025-55746 Overview
CVE-2025-55746 is an Arbitrary File Upload vulnerability affecting Directus, a real-time API and App dashboard for managing SQL database content. The vulnerability exists in the file update mechanism, allowing unauthenticated actors to modify existing files with arbitrary contents or upload new files without proper authorization. This flaw enables attackers to bypass authentication controls and manipulate the file system without changes being reflected in the Directus UI or database metadata.
Critical Impact
Unauthenticated attackers can modify existing files or upload malicious files with arbitrary content and extensions, potentially leading to web shell deployment, content manipulation, or supply chain attacks on dependent applications.
Affected Products
- Monospace Directus versions 10.8.0 to before 11.9.3
- Directus for Node.js deployments
Discovery Timeline
- 2025-08-20 - CVE-2025-55746 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-55746
Vulnerability Analysis
This vulnerability falls under CWE-73 (External Control of File Name or Path), allowing attackers to manipulate file operations without proper authentication. The flaw resides in Directus's file update mechanism, which fails to properly validate authentication status before processing file modification requests. This architectural weakness enables network-based attacks requiring no privileges or user interaction to execute.
The vulnerability allows two distinct attack scenarios: modification of existing files and creation of new files. In both cases, the changes bypass the normal Directus workflow and do not appear in the administrative UI, making detection of unauthorized modifications significantly more difficult.
Root Cause
The root cause lies in improper access control within the file update endpoint. The file handling mechanism does not enforce authentication checks before processing file modification or upload requests. Additionally, the vulnerability allows files to be created or modified without corresponding database metadata updates, creating a disconnect between the actual file system state and what administrators can observe through the Directus interface.
Attack Vector
An attacker can exploit this vulnerability remotely over the network without requiring any authentication credentials. The attack does not require user interaction, making it particularly dangerous for internet-facing Directus installations. By sending specially crafted requests to the vulnerable file update endpoint, attackers can:
- Overwrite existing files with malicious content while preserving their original metadata in the database
- Upload new files with arbitrary extensions (including executable scripts) that remain hidden from the Directus UI
- Potentially deploy web shells or backdoors that persist outside of normal administrative visibility
The attack surface is significant given that Directus is commonly deployed as a headless CMS for web applications, meaning compromised files may be served directly to end users.
Detection Methods for CVE-2025-55746
Indicators of Compromise
- Unexpected modifications to file timestamps in the Directus storage directory without corresponding database audit entries
- Files present in the upload directory that do not appear in the Directus admin interface
- Web server logs showing direct requests to file upload endpoints without valid session cookies or authentication headers
- New executable files or scripts with unusual extensions in the Directus file storage location
Detection Strategies
- Monitor file system integrity for Directus storage directories using tools like AIDE or Tripwire to detect unauthorized file modifications
- Implement web application firewall (WAF) rules to detect and block unauthenticated file upload attempts
- Review web server access logs for requests to Directus file endpoints that lack authentication parameters
- Compare file system contents against Directus database records to identify orphaned or modified files
Monitoring Recommendations
- Enable detailed logging on Directus file operations and correlate with authentication events
- Set up file integrity monitoring on Directus storage directories with real-time alerting
- Deploy network monitoring to detect anomalous traffic patterns to Directus API endpoints
- Configure SIEM rules to alert on unauthenticated requests to file management APIs
How to Mitigate CVE-2025-55746
Immediate Actions Required
- Upgrade Directus to version 11.9.3 or later immediately
- Audit existing files in Directus storage directories for unauthorized modifications or unexpected files
- Review access logs for evidence of exploitation attempts against the file update endpoints
- Temporarily restrict network access to Directus instances if immediate patching is not possible
Patch Information
Monospace has released version 11.9.3 of Directus which addresses this vulnerability. The fix is available in commit d84dcc36f75fc5c858d43746b8f9c426c38d696b. Organizations should update their Directus installations immediately. For detailed information about the vulnerability and the fix, refer to the GitHub Security Advisory GHSA-mv33-9f6j-pfmc and the associated commit.
Workarounds
- Implement reverse proxy authentication to require credentials before requests reach Directus
- Use network segmentation to limit access to Directus instances from trusted networks only
- Deploy a web application firewall with rules to block unauthenticated file upload requests
- Enable strict file type validation at the web server level to prevent execution of uploaded malicious files
# Example nginx configuration to restrict access to Directus file endpoints
location /files {
# Require authentication for all file operations
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://directus_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
