The vulnerability lies in the logging mechanism not redacting the 'access_token' from the request query parameters when the log style is set to 'raw'. The provided commit patch clearly shows that the createExpressLogger function in api/src/logger/index.ts is modified to add 'req.query.access_token' to the list of redacted paths. This indicates that prior to this patch, this function was responsible for the logging behavior that led to the vulnerability. The function itself processes the request object (implicitly, as it configures the logger for Express which handles requests) and, in its vulnerable state, would allow the access token to be logged. The logger configured by this function would be active during the request lifecycle where the access_token is present in the query string, and would write it to the logs if LOG_STYLE is 'raw'. Therefore, createExpressLogger is the key function related to the vulnerability, as it defines the logging behavior. During exploitation, the logger instance created and configured by this function would be the one writing the sensitive data to the logs. While createExpressLogger itself might not appear directly in every stack trace at the exact moment of logging, it's the function that sets up the vulnerable logging configuration. The actual logging would be performed by the pino-http middleware that uses these configurations, but createExpressLogger is the Directus function where the vulnerability (lack of redaction) originates from a configuration standpoint.