CVE CyberSecurity Database News

CVE-2025-24353 - How a Directus Role Escalation Bug Exposed Hidden Data

Poster -

Directus is a popular open source platform for managing SQL database content through a modern API and dashboard—trusted by thousands of teams worldwide. But in early 2025, security researchers uncovered a critical flaw (CVE-2025-24353) that allowed regular users to bypass role restrictions and see sensitive information they should not have access to. Let’s break down how this worked, who’s at risk, and what you need to know to stay secure.

What is CVE-2025-24353?

CVE-2025-24353 is a security vulnerability present in Directus versions before 11.2.. It lets a standard user abuse the item sharing feature to assign any role (including high-privilege ones) when sharing content. As a result, they could see or share database fields that are hidden from their own role—effectively “upgrading” their permissions without admin approval.

Any Directus instance <11.2.

- Those using “Share” links for items/records

How the Exploit Works (Simplified Walkthrough)

When a user wants to share some content in Directus (like a product or a blog post), Directus provides a sharing dialog. Normally, fields are hidden based on the user's current role. But, the app lets the user specify who they're sharing with—and the role to use—via a parameter in the share link.

Here is a simplified example

// The server-side permission setup:
{
  "roles": {
    "viewer": { "canSee": ["title", "description"] },
    "manager": { "canSee": ["title", "description", "secret_notes"] }
  }
}

// A "Share" link payload (what's sent from the frontend):
{
  "item": "123",
  "role": "manager"
}

If the server does not verify that the logged-in user has rights to share as the manager role, the user can just change role to manager in the payload or URL, and instantly get access to the hidden secret_notes field. In practice, the exploit was as easy as modifying the network request or editing the share link.

Proof of Concept (PoC)

// Suppose the app uses a POST /share endpoint
fetch('/share', {
  method: 'POST',
  body: JSON.stringify({
    item: 42,           // record ID
    role: 'admin'       // exploit: requesting privileged "admin" role!
  }),
  headers: { 'Content-Type': 'application/json' }
})
.then(res => res.json())
.then(data => {
  // data.secret_field is now visible!
});

Real-World Impact

Imagine a database table of Users where only admins can see the salary field. A regular employee should only see their name and title. With this bug, a malicious worker could craft a share link pretending to be an admin, and suddenly see everyone’s hidden salaries.

This is especially nasty because it left no obvious trace: the logs showed valid role-based accesses, and admins would not notice unless they manually audited which share links were made and by whom.

Only roles authorized by the logged-in user can be chosen for sharing.

- The server checks permissions against the user’s real privilege level, not just the one requested in the share payload.

What you should do

- Upgrade Immediately: Install Directus 11.2. or later. Release notes & download

Further Reading & References

- Directus Security Advisory for CVE-2025-24353
- NVD CVE-2025-24353 entry
- Example patch PR #XXXXX
- Directus Share API Docs

Conclusion

CVE-2025-24353 is a good reminder: never trust user input—even if it comes from your own app’s frontend features. Always verify roles and permissions server side, and keep your open source tools up-to-date.

Are you running Directus? Do a quick health check to make sure you’re protected—and help spread the word to your teammates!


*This post is an exclusive, plain-language summary with original research and code. Stay safe out there!*

Timeline

Published on: 01/23/2025 18:15:33 UTC