CVE-2025-55746
Published: 20 August 2025
Summary
CVE-2025-55746 is a critical-severity External Control of File Name or Path (CWE-73) vulnerability. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 30.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-7 (Software, Firmware, and Information Integrity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations preventing unauthenticated actors from accessing file update and upload mechanisms in Directus.
Validates inputs to file update and upload endpoints, mitigating arbitrary content, extensions, and path control exploitation.
Performs integrity verification on stored files to identify unauthorized modifications or hidden uploads not reflected in database metadata or UI.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated arbitrary file upload/modification (CWE-434/73) in public-facing Directus enables stealthy web shell deployment and tool ingress.
NVD Description
Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes…
more
being applied to the files' database-resident metadata) and / or upload new files, with arbitrary content and extensions, which won't show up in the Directus UI. This vulnerability is fixed in 11.9.3.
Deeper analysisAI
CVE-2025-55746 is a high-severity vulnerability in the file update mechanism of Directus, an open-source real-time API and app dashboard for managing SQL database content. It affects versions from 10.8.0 up to but not including 11.9.3. The flaw enables unauthenticated actors to modify the contents of existing files with arbitrary data—without updating the files' metadata stored in the database—or to upload entirely new files with arbitrary content and file extensions. These changes do not appear in the Directus UI, allowing stealthy alterations. The issue is rated 9.3 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L) and is associated with CWE-73 (External Control of File Name or Path) and CWE-434 (Unrestricted Upload of File with Dangerous Type).
An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to tamper with existing files on the server by overwriting their contents arbitrarily, potentially injecting malicious code or data while leaving database metadata intact to evade detection. Attackers can also upload new files with dangerous extensions or payloads that remain hidden from the Directus user interface, enabling persistent storage of malware, backdoors, or other harmful content for later retrieval or execution.
The vulnerability was fixed in Directus version 11.9.3, as detailed in the project's security advisory (GHSA-mv33-9f6j-pfmc) and the corresponding commit (d84dcc36f75fc5c858d43746b8f9c426c38d696b). Security practitioners should immediately upgrade to 11.9.3 or later, review file storage directories for unauthorized modifications or hidden uploads, and implement network access controls to restrict unauthenticated API endpoints until patching is complete.
Details
- CWE(s)