Listen to this Post
The CVE-2025-64747 vulnerability is a stored XSS in Directus versions before 11.13.0. It exploits the Block Editor interface, which fails to properly sanitize user-supplied input. An attacker with ‘upload files’ and ‘edit item’ permissions can upload an HTML file containing malicious JavaScript. By leveraging the Block Editor’s iframe block and its `srcdoc` attribute, the attacker can reference the uploaded malicious file. This technique bypasses standard Content Security Policy (CSP) restrictions that typically block inline scripts. The `srcdoc` attribute executes the HTML content directly, allowing the malicious script to run within the context of the application. This results in persistent XSS, meaning the payload is stored and executed for every user who views the compromised content, leading to potential session hijacking or admin credential theft.
Platform: Directus
Version: < 11.13.0
Vulnerability: Stored XSS
Severity: Critical
date: 2025-11-13
Prediction: Patch Available
What Undercode Say:
curl -F "[email protected]" https://directus-instance.com/files`
<h2 style="color: blue;">