Moderate severityNVD Advisory· Published Feb 19, 2025· Updated Feb 19, 2025

Overlapping policies allow update to non-allowed fields in directus

CVE-2025-27089

Description

Directus is a real-time API and App dashboard for managing SQL database content. In affected versions if there are two overlapping policies for the update action that allow access to different fields, instead of correctly checking access permissions against the item they apply for the user is allowed to update the superset of fields allowed by any of the policies. E.g. have one policy allowing update access to field_a if the id == 1 and one policy allowing update access to field_b if the id == 2. The user with both these policies is allowed to update both field_a and field_b for the items with ids 1 and 2. Before v11, if a user was allowed to update an item they were allowed to update the fields that the single permission, that applied to that item, listed. With overlapping permissions this isn't as clear cut anymore and the union of fields might not be the fields the user is allowed to update for that specific item. The solution that this PR introduces is to evaluate the permissions for each field that the user tries to update in the validateItemAccess DB query, instead of only verifying access to the item as a whole. This is done by, instead of returning the actual field value, returning a flag that indicates if the user has access to that field. This uses the same case/when mechanism that is used for stripping out non permitted field that is at the core of the permissions engine. As a result, for every item that the access is validated for, the expected result is an item that has either 1 or null for all the "requested" fields instead of any of the actual field values. These results are not useful for anything other than verifying the field level access permissions. The final check in validateItemAccess can either fail if the number of items does not match the number of items the access is checked for (ie. the user does not have access to the item at all) or if not all of the passed in fields have access permissions for any of the returned items. This is a vulnerability that allows update access to unintended fields, potentially impacting the password field for user accounts. This has been addressed in version 11.1.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
directusnpm	>= 11.0.0, < 11.1.2	11.1.2
@directus/apinpm	>= 22.0.0, < 23.1.0	23.1.0

Affected products

Monospace/Directusv5
Range: >= 11.0.0, < 11.1.2

Patches

a7ea67783b06

Merge commit from fork

https://github.com/directus/directusHannes KüttnerOct 21, 2024via ghsa

commit

7 files changed · +107 −16

api/src/database/run-ast/lib/get-db-query.ts+15 −10 modified

@@ -1,7 +1,8 @@
 import { useEnv } from '@directus/env';
-import type { Filter, Permission, Query, SchemaOverview } from '@directus/types';
+import type { Filter, Permission, Query } from '@directus/types';
 import type { Knex } from 'knex';
 import { cloneDeep } from 'lodash-es';
+import type { Context } from '../../../permissions/types.js';
 import type { FieldNode, FunctionFieldNode, O2MNode } from '../../../types/ast.js';
 import type { ColumnSortRecord } from '../../../utils/apply-query.js';
 import applyQuery, { applyLimit, applySort, generateAlias } from '../../../utils/apply-query.js';
@@ -15,19 +16,23 @@ import { getNodeAlias } from '../utils/get-field-alias.js';
 import { getInnerQueryColumnPreProcessor } from '../utils/get-inner-query-column-pre-processor.js';
 import { withPreprocessBindings } from '../utils/with-preprocess-bindings.js';
 
+export type DBQueryOptions = {
+	table: string;
+	fieldNodes: (FieldNode | FunctionFieldNode)[];
+	o2mNodes: O2MNode[];
+	query: Query;
+	cases: Filter[];
+	permissions: Permission[];
+	permissionsOnly?: boolean;
+};
+
 export function getDBQuery(
-	schema: SchemaOverview,
-	knex: Knex,
-	table: string,
-	fieldNodes: (FieldNode | FunctionFieldNode)[],
-	o2mNodes: O2MNode[],
-	query: Query,
-	cases: Filter[],
-	permissions: Permission[],
+	{ table, fieldNodes, o2mNodes, query, cases, permissions, permissionsOnly }: DBQueryOptions,
+	{ knex, schema }: Context,
 ): Knex.QueryBuilder {
 	const aliasMap: AliasMap = Object.create(null);
 	const env = useEnv();
-	const preProcess = getColumnPreprocessor(knex, schema, table, cases, permissions, aliasMap);
+	const preProcess = getColumnPreprocessor(knex, schema, table, cases, permissions, aliasMap, permissionsOnly);
 	const queryCopy = cloneDeep(query);
 	const helpers = getHelpers(knex);

api/src/database/run-ast/modules/fetch-permitted-ast-root-fields.ts+50 −0 added

@@ -0,0 +1,50 @@
+import type { Accountability, Permission, SchemaOverview } from '@directus/types';
+import type { Knex } from 'knex';
+import { cloneDeep } from 'lodash-es';
+import { fetchPermissions } from '../../../permissions/lib/fetch-permissions.js';
+import { fetchPolicies } from '../../../permissions/lib/fetch-policies.js';
+import type { AST } from '../../../types/ast.js';
+import { getDBQuery } from '../lib/get-db-query.js';
+import { parseCurrentLevel } from '../lib/parse-current-level.js';
+
+type FetchPermittedAstRootFieldsOptions = {
+	schema: SchemaOverview;
+	accountability: Accountability;
+	knex: Knex;
+};
+
+/**
+ * Fetch the permitted top level fields of a given root type AST using a case/when query that is constructed the
+ * same way as `runAst` but only returns flags (1/null) instead of actual field values.
+ */
+export async function fetchPermittedAstRootFields(
+	originalAST: AST,
+	{ schema, accountability, knex }: FetchPermittedAstRootFieldsOptions,
+) {
+	const ast = cloneDeep(originalAST);
+
+	const { name: collection, children, cases, query } = ast;
+
+	// Retrieve the database columns to select in the current AST
+	const { fieldNodes } = await parseCurrentLevel(schema, collection, children, query);
+
+	let permissions: Permission[] = [];
+
+	if (accountability && !accountability.admin) {
+		const policies = await fetchPolicies(accountability, { schema, knex });
+		permissions = await fetchPermissions({ action: 'read', accountability, policies }, { schema, knex });
+	}
+
+	return getDBQuery(
+		{
+			table: collection,
+			fieldNodes,
+			o2mNodes: [],
+			query,
+			cases,
+			permissions,
+			permissionsOnly: true,
+		},
+		{ schema, knex },
+	);
+}

api/src/database/run-ast/run-ast.ts+11 −1 modified

@@ -71,7 +71,17 @@ export async function runAst(
 		}
 
 		// The actual knex query builder instance. This is a promise that resolves with the raw items from the db
-		const dbQuery = getDBQuery(schema, knex, collection, fieldNodes, o2mNodes, query, cases, permissions);
+		const dbQuery = getDBQuery(
+			{
+				table: collection,
+				fieldNodes,
+				o2mNodes,
+				query,
+				cases,
+				permissions,
+			},
+			{ schema, knex },
+		);
 
 		const rawItems: Item | Item[] = await dbQuery;

api/src/database/run-ast/utils/get-column-pre-processor.ts+8 −1 modified

@@ -21,6 +21,7 @@ export function getColumnPreprocessor(
 	cases: Filter[],
 	permissions: Permission[],
 	aliasMap: AliasMap,
+	permissionsOnly?: boolean,
 ) {
 	const helpers = getHelpers(knex);
 
@@ -47,7 +48,13 @@ export function getColumnPreprocessor(
 
 		let column;
 
-		if (field?.type?.startsWith('geometry')) {
+		if (permissionsOnly) {
+			if (noAlias) {
+				column = knex.raw(1);
+			} else {
+				column = knex.raw('1 as ??', [alias]);
+			}
+		} else if (field?.type?.startsWith('geometry')) {
 			column = helpers.st.asText(table, field.field, rawColumnAlias);
 		} else if (fieldNode.type === 'functionField') {
 			// Include the field cases in the functionField query filter

api/src/permissions/modules/validate-access/lib/validate-item-access.ts+12 −3 modified

@@ -1,6 +1,6 @@
 import type { Accountability, PermissionsAction, PrimaryKey, Query } from '@directus/types';
 import { getAstFromQuery } from '../../../../database/get-ast-from-query/get-ast-from-query.js';
-import { runAst } from '../../../../database/run-ast/run-ast.js';
+import { fetchPermittedAstRootFields } from '../../../../database/run-ast/modules/fetch-permitted-ast-root-fields.js';
 import type { Context } from '../../../types.js';
 import { processAst } from '../../process-ast/process-ast.js';
 
@@ -9,6 +9,7 @@ export interface ValidateItemAccessOptions {
 	action: PermissionsAction;
 	collection: string;
 	primaryKeys: PrimaryKey[];
+	fields?: string[];
 }
 
 export async function validateItemAccess(options: ValidateItemAccessOptions, context: Context) {
@@ -24,7 +25,7 @@ export async function validateItemAccess(options: ValidateItemAccessOptions, con
 	const query: Query = {
 		// We don't actually need any of the field data, just want to know if we can read the item as
 		// whole or not
-		fields: [],
+		fields: options.fields ?? [],
 		limit: options.primaryKeys.length,
 	};
 
@@ -46,9 +47,17 @@ export async function validateItemAccess(options: ValidateItemAccessOptions, con
 		},
 	};
 
-	const items = await runAst(ast, context.schema, options.accountability, { knex: context.knex });
+	const items = await fetchPermittedAstRootFields(ast, {
+		schema: context.schema,
+		accountability: options.accountability,
+		knex: context.knex,
+	});
 
 	if (items && items.length === options.primaryKeys.length) {
+		if (options.fields) {
+			return items.every((item: any) => options.fields!.every((field) => item[field] === 1));
+		}
+
 		return true;
 	}

api/src/permissions/modules/validate-access/validate-access.ts+10 −1 modified

@@ -9,6 +9,7 @@ export interface ValidateAccessOptions {
 	action: PermissionsAction;
 	collection: string;
 	primaryKeys?: PrimaryKey[];
+	fields?: string[];
 }
 
 /**
@@ -40,8 +41,16 @@ export async function validateAccess(options: ValidateAccessOptions, context: Co
 	}
 
 	if (!access) {
+		if (options.fields?.length ?? 0 > 0) {
+			throw new ForbiddenError({
+				reason: `You don't have permissions to perform "${options.action}" for the field(s) ${options
+					.fields!.map((field) => `"${field}"`)
+					.join(', ')} in collection "${options.collection}" or it does not exist.`,
+			});
+		}
+
 		throw new ForbiddenError({
-			reason: `You don't have permission to "${options.action}" from collection "${options.collection}" or it does not exist.`,
+			reason: `You don't have permission to perform "${options.action}" for collection "${options.collection}" or it does not exist.`,
 		});
 	}
 }

api/src/services/items.ts+1 −0 modified

@@ -727,6 +727,7 @@ export class ItemsService<Item extends AnyItem = AnyItem, Collection extends str
 					action: 'update',
 					collection: this.collection,
 					primaryKeys: keys,
+					fields: Object.keys(payloadAfterHooks),
 				},
 				{
 					schema: this.schema,

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-99vm-5v2h-h6r6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-27089ghsaADVISORY
github.com/directus/directus/commit/a7ea67783b060d0d6fc964d71c2d4575d5eee4e2ghsaWEB
github.com/directus/directus/releases/tag/v11.1.2ghsax_refsource_MISCWEB
github.com/directus/directus/security/advisories/GHSA-99vm-5v2h-h6r6ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000