Directus's exact version number is exposed by the OpenAPI Spec
Description
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, the exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the /server/specs/oas endpoint without authentication. With the exact version information a malicious attacker can look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version. Version 11.9.0 fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
directusnpm | < 11.9.0 | 11.9.0 |
Affected products
1Patches
1e74f3e4e92edUpdate `info.version` in the OpenAPI specs (#25353)
2 files changed · +12 −2
api/src/services/specifications.ts+7 −2 modified@@ -4,9 +4,9 @@ import { spec } from '@directus/specs'; import { isSystemCollection } from '@directus/system-data'; import type { Accountability, FieldOverview, Permission, SchemaOverview, Type } from '@directus/types'; import { getRelation } from '@directus/utils'; -import { version } from 'directus/version'; import type { Knex } from 'knex'; import { cloneDeep, mergeWith } from 'lodash-es'; +import hash from 'object-hash'; import type { OpenAPIObject, ParameterObject, @@ -91,13 +91,18 @@ class OASSpecsService implements SpecificationSubService { const isDefaultPublicUrl = env['PUBLIC_URL'] === '/'; const url = isDefaultPublicUrl && host ? host : (env['PUBLIC_URL'] as string); + const hashedVersion = hash({ + now: new Date().toISOString(), + user: this.accountability?.user, + }); + const spec: OpenAPIObject = { openapi: '3.0.1', info: { title: 'Dynamic API Specification', description: 'This is a dynamically generated API specification for all endpoints existing on the current project.', - version: version, + version: hashedVersion, }, servers: [ {
.changeset/empty-rules-cheat.md+5 −0 added@@ -0,0 +1,5 @@ +--- +'@directus/api': patch +--- + +Updated `info.version` in the OpenAPI specs
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-rmjh-cf9q-pv7qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-53887ghsaADVISORY
- github.com/directus/directus/commit/e74f3e4e92edc33b5f83eefb001a3d2a85af17a3ghsax_refsource_MISCWEB
- github.com/directus/directus/pull/25353ghsax_refsource_MISCWEB
- github.com/directus/directus/releases/tag/v11.9.0ghsax_refsource_MISCWEB
- github.com/directus/directus/security/advisories/GHSA-rmjh-cf9q-pv7qghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.