Headline
GHSA-fm3h-p9wm-h74h: Directus's webhook trigger flows can leak sensitive data
Describe the Bug
In Directus, when a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data.
This issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse.
To Reproduce
Steps to Reproduce:
- Create a Flow in Directus with:
- Trigger: Webhook
- Response Body: Data of Last Operation
- Add a condition that is likely to fail.
- Trigger the Flow with any input data that will fail the condition.
- Observe the API response, which includes sensitive information like:
- Environmental variables (
$env) - Authorization headers
- User details under
$accountability - Previous operational data.
- Environmental variables (
Expected Behavior: In the event of a ValidationError, the API response should only contain relevant error messages and details, avoiding the exposure of sensitive data.
Actual Behavior: The API response includes sensitive information such as:
- Environment keys (
FLOWS_ENV_ALLOW_LIST) - User accountability (
role,user, etc.) - Operational logs (
current_payments,$last), which might contain private details.
Describe the Bug
In Directus, when a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data.
This issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse.
To Reproduce
Steps to Reproduce:
- Create a Flow in Directus with:
- Trigger: Webhook
- Response Body: Data of Last Operation
- Add a condition that is likely to fail.
- Trigger the Flow with any input data that will fail the condition.
- Observe the API response, which includes sensitive information like:
- Environmental variables ($env)
- Authorization headers
- User details under $accountability
- Previous operational data.
Expected Behavior:
In the event of a ValidationError, the API response should only contain relevant error messages and details, avoiding the exposure of sensitive data.
Actual Behavior:
The API response includes sensitive information such as:
- Environment keys (FLOWS_ENV_ALLOW_LIST)
- User accountability (role, user, etc.)
- Operational logs (current_payments, $last), which might contain private details.
References
- GHSA-fm3h-p9wm-h74h
- https://nvd.nist.gov/vuln/detail/CVE-2025-30353