CVE-2025-55746: Critical Directus Flaw Exposes Servers to Unauthenticated File Upload and RCE

The Directus project has disclosed a critical vulnerability tracked as CVE-2025-55746 (CVSS 9.3) that could allow unauthenticated attackers to upload or modify files on vulnerable servers. Directus, a popular open-source real-time API and dashboard for managing SQL database content, patched the flaw in version 11.9.3, but earlier versions remain at risk.

According to the advisory, “a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents… and/or upload new files, with arbitrary content and extensions, which won’t show up in the Directus UI.”

The flaw lies in the /files route, which exposes CRUD operations for file handling. Because the filename_disk value is not sanitized, attackers can bypass safeguards. While complete arbitrary file writes are restricted in some storage setups, the weakness still allows malicious uploads into the system’s upload folder.

The advisory summarizes:

• It is possible, to change the contents of an existing file, as an existing UUID can be specified as the file name
  – The metadata won’t change, so the mime type cannot be modified
  – This also makes the changes happen “silently”, without directus knowing about the changes
• A new, previously non-existent file can be created with arbitrary contents
  – The file won’t show up in on the Directus UI, it can only be seen through other means (such as shell access)
• An extension MUST be defined for the file to be modified
  – This prevents us from uploading executables or malware with no extensions, but these wouldn’t be executable either way

Exploitation is very simple. An attacker only needs network access to the vulnerable Directus instance and knowledge of at least one valid file UUID. The advisory warns: “Once network access and knowledge of at least one file UUID is available for the attacker, exploitation can be done by sending a single request.”

Since Directus often serves images or assets with predictable UUIDs, attackers can easily obtain them by browsing a connected application.

The consequences of this vulnerability vary depending on deployment but include several severe scenarios:

• Phishing Pages with SVG Files
  Attackers could upload crafted SVGs that embed malicious scripts. The advisory notes: “SVGs can be used to set up very sophisticated looking pages… the browser could fill out the login forms, making for a much more convincing page.”
• Unauthenticated Remote Code Execution
  In configurations where servers serve files directly from the upload directory (such as via Nginx), attackers could upload a webshell. As the report warns: “An arbitrary file write might allow an attacker to upload a webshell into the folder… an attacker can achieve unauthenticated code execution on the server.”
• File Poisoning and Internal Credential Theft
  Attackers could tamper with hosted documents such as onboarding PDFs or internal manuals, inserting malicious links to harvest credentials. “It would be trivial to set up a spoofed instance which receives credentials for internal services but redirects to the original, internal service right after.”

Administrators running older versions of Directus are strongly urged to upgrade immediately (version 11.9.3) and review file-serving configurations to ensure that uploaded content cannot be directly executed.

Related Posts:

• CVE-2024-27295: Directus Flaw Opens Door to Account Takeovers
• CVE-2025-30353: Directus Vulnerability Exposes Sensitive Data in Webhook Trigger Flows
• Microsoft modifies open source code and causes RCE flaw in Windows Defender
• Chinese Hackers Suspected in Ivanti CSA Attacks: Webshells and Lateral Movement Detected Sources and related content
• CVE-2025-31324 (CVSS 10): Zero-Day in SAP NetWeaver Exploited in the Wild to Deploy Webshells and C2 Frameworks