CVE-2025-30353: Directus Vulnerability Exposes Sensitive Data in Webhook Trigger Flows

A security vulnerability has been identified in Directus, a real-time API and App dashboard used for managing SQL database content. This vulnerability, tracked as CVE-2025-30353 with a CVSS score of 8.6, can lead to the leakage of sensitive data.

The vulnerability occurs within Directus Flows that utilize the “Webhook” trigger and the “Data of Last Operation” response body. When a ValidationError is thrown by a failed condition operation within such a Flow, the API response may inadvertently include sensitive data.

The exposed sensitive data can include:

• Environmental variables ($env)
• Authorization headers
• User details under $accountability
• Operational data

This exposure poses a significant security risk, as it could lead to the misuse of the leaked information.

The vulnerability can be reproduced by following these steps:

1. Create a Directus Flow with a “Webhook” trigger and “Data of Last Operation” response body.
2. Add a condition to the Flow that is likely to fail.
3. Trigger the Flow with input data that will cause the condition to fail.
4. Observe the API response, which will contain the sensitive information.

The expected behavior is that the API response to a ValidationError should only contain relevant error messages and details, without disclosing sensitive data. However, the actual behavior is that the API response includes sensitive information like environment keys (FLOWS_ENV_ALLOW_LIST), user accountability details, and operational logs.

The vulnerability affects Directus version 9.12.0. It has been patched in version 11.5.0.

Related Posts:

• CVE-2024-27295: Directus Flaw Opens Door to Account Takeovers
• Critical flaw affects Rancher open source container management platform