CVE-2025-24353: 
JavaScript vulnerability analysis and mitigation

Directus, a real-time API and App dashboard for managing SQL database content, was found to have a privilege escalation vulnerability (CVE-2025-24353) prior to version 11.2.0. When sharing an item, a typical user could specify an arbitrary role, allowing them to use a higher-privileged role to see fields that they should not have access to. The vulnerability was discovered and disclosed on January 23, 2025 (NVD, GitHub Advisory).

The vulnerability stems from a security flaw in the share feature's role specification functionality. The issue affects instances that use the share feature and have specific roles hierarchy with fields not visible for certain roles. The vulnerability has been assigned a CVSS v3.1 base score of 5.0 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N, indicating network attack vector, low attack complexity, and low privileges required (GitHub Advisory).

The vulnerability allows unauthorized access to sensitive field values that should be restricted based on role permissions. Users with lower-privileged roles could exploit the share feature to gain access to fields that were intended to be visible only to higher-privileged roles. This creates a privilege escalation scenario where data confidentiality could be compromised (GitHub Advisory).

The vulnerability has been fixed in Directus version 11.2.0. Users are advised to upgrade to this version or later. The fix includes proper permission generation for shares and ensures that role specifications in shares are properly validated (GitHub Release).