CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-53887: Directus's exact version number is exposed by the OpenAPI Spec

5.3 CVSS

Description

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, the exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the `/server/specs/oas` endpoint without authentication. With the exact version information a malicious attacker can look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version. Version 11.9.0 fixes the issue.

Classification

CVE ID: CVE-2025-53887

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem Types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Affected Products

Vendor: directus

Product: directus

References

https://nvd.nist.gov/vuln/detail/CVE-2025-53887
https://github.com/directus/directus/security/advisories/GHSA-rmjh-cf9q-pv7q
https://github.com/directus/directus/pull/25353
https://github.com/directus/directus/commit/e74f3e4e92edc33b5f83eefb001a3d2a85af17a3
https://github.com/directus/directus/releases/tag/v11.9.0

Timeline

2025-07-15 00:40:15 UTC
CVE

Directus's exact version number is exposed by the OpenAPI Spec
2025-07-15 16:15:36 UTC
Github Advisory Database (NPM)

[directus] Directus' exact version number is exposed by the OpenAPI Spec