Critical Directus vulnerability enables unauthenticated file upload and remote code execution

Directus is reporting a critical security vulnerability that allows unauthenticated attackers to upload arbitrary files and modify existing files on vulnerable servers, potentially leading to complete compromise of Directus instances.

Directus offers a real-time API and an app dashboard for managing SQL databases, serving as a backend that enables databases to be transformed into headless CMS solutions. The platform provides admin panels, custom user interfaces, instant APIs, authentication capabilities, and database management features.

The flaw is tracked as CVE-2025-55746 (CVSS score 9.3) and is caused by insufficient input sanitization in the file update mechanism exposed through the /files route. The endpoint handler responsible for updating existing files identified by primary key parameters fails to properly sanitize the filename_disk value, creating a path traversal vulnerability that allows attackers to bypass security controls and write files to arbitrary locations within the upload directory structure.

To exploit the flaw attackers only need network access to the vulnerable Directus instance and knowledge of at least one file UUID, which can typically be obtained by browsing applications that use the Directus instance to serve images or other media content. Once these requirements are met, exploitation can be achieved through a single malicious request.

Affected versions of Directus include versions from 10.8.0 up to but not including 11.9.3

Directus has fixed the vulnerability in version 11.9.3. 

Security researchers have identified approximately 173,000 Directus instances accessible on the internet

Organizations should immediately upgrade to Directus version 11.9.3 or later to address this critical vulnerability. For environments where immediate patching is not feasible, organizations should isolate the Directus instance accessibility from the internet.