CVE-2025-27089

Summary

CVE-2025-27089 is a vulnerability affecting Directus, a real-time API and App dashboard for managing SQL database content. In affected versions, if there are two overlapping policies granting update access to different fields, a user is allowed to update the union of these fields for items that match the policy conditions. This behavior deviates from previous versions where a user could only update the fields permitted by the policy applicable to that specific item. The newly introduced solution in this PR involves evaluating permissions for each requested field during validation, rather than verifying access to the item as a whole. As a result, the validation returns an item with either 1 or null for all requested fields, making it unsuitable for retrieving actual data. The vulnerability, which can potentially impact password fields in user accounts, has been addressed in version 11.1.2. Users are advised to upgrade as there are no known workarounds for this issue.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.