Directus Vulnerable to Information Leakage in Existing Collections_CVE-2025-64749

4.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for two cases: when a user tries to access an existing collection which they are not authorized to access, and when user tries to access a non-existing collection. The two differing error messages leak the existence of collections to users which are not authorized to access these collections. Version 11.13.0 fixes the issue.

Basic Information

ID CVE-2025-64749

Source GitHub_M

Published Nov 13, 2025 at 21:34

Affected Product

Vendor directus

Product directus

Version < 11.13.0

Affected Versions directus directus < 11.13.0

CWE Classification

CWE-203 CWE-209

References

{
    "lastseen": "",
    "description": "Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for two cases: when a user tries to access an existing collection which they are not authorized to access, and when user tries to access a non-existing collection. The two differing error messages leak the existence of collections to users which are not authorized to access these collections. Version 11.13.0 fixes the issue.",
    "published": "2025-11-13T21:34:54.603Z",
    "modified": "2025-11-13T21:34:54.603Z",
    "type": "cve",
    "title": "Directus Vulnerable to Information Leakage in Existing Collections",
    "source": "GitHub_M",
    "references": "https://github.com/directus/directus/security/advisories/GHSA-cph6-524f-3hgr\nhttps://github.com/directus/directus/commit/f99c9b89071f9d136cc9b0d0c182f2d24542bc31",
    "id": "CVE-2025-64749",
    "bulletinFamily": "",
    "cwe": [
        "CWE-203",
        "CWE-209"
    ],
    "cvelist": null,
    "sourceData": "directus directus < 11.13.0",
    "sourceHref": "",
    "cvss": {
        "score": 4.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "directus",
    "version": "< 11.13.0",
    "vendor": "directus",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}