CVE-2025-53887: 
JavaScript vulnerability analysis and mitigation

Directus, a real-time API and App dashboard for managing SQL database content, disclosed a vulnerability (CVE-2025-53887) where the exact version number was incorrectly exposed through the OpenAPI Spec version. This vulnerability affects versions from 9.0.0 to versions prior to 11.9.0, where the version information was being exposed by the /server/specs/oas endpoint without authentication. The vulnerability was discovered and disclosed on July 14, 2025 (GitHub Advisory, NVD).

The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). It received a CVSS v3.1 base score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The technical issue stems from the incorrect implementation where the Directus version number was being used as the OpenAPI Spec version, making it accessible through the /server/specs/oas endpoint without any authentication requirements (GitHub Advisory).

The exposure of the exact version information enables malicious attackers to identify known vulnerabilities in both the Directus core and any of its shipped dependencies for the specific running version. This information disclosure could serve as a stepping stone for more targeted attacks against vulnerable installations (GitHub Advisory).

The vulnerability has been fixed in Directus version 11.9.0. Users are advised to upgrade to this version or later to address the security issue. The fix involves updating the info.version in the OpenAPI specs to prevent version information disclosure (GitHub Release, GitHub Patch).