Directus has Improper Permission Handling on Deleted Fields_CVE-2025-64746

4.6 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table remains intact. This stale reference creates a security gap: if another field is later created using the same name, it inherits the outdated permission entry. This behavior can unintentionally grant roles access to data they should not be able to read or modify. The issue is particularly risky in multi-tenant or production environments, where administrators may reuse field names, assuming old permissions have been fully cleared. Version 11.13.0 fixes the issue.

Basic Information

ID CVE-2025-64746

Source GitHub_M

Published Nov 13, 2025 at 20:54

Modified Nov 13, 2025 at 21:19

Affected Product

Vendor directus

Product directus

Version < 11.13.0

Affected Versions directus directus < 11.13.0

CWE Classification

CWE-284 CWE-863

References

{
    "lastseen": "",
    "description": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table remains intact. This stale reference creates a security gap: if another field is later created using the same name, it inherits the outdated permission entry. This behavior can unintentionally grant roles access to data they should not be able to read or modify. The issue is particularly risky in multi-tenant or production environments, where administrators may reuse field names, assuming old permissions have been fully cleared. Version 11.13.0 fixes the issue.",
    "published": "2025-11-13T20:54:42.351Z",
    "modified": "2025-11-13T21:19:01.907Z",
    "type": "cve",
    "title": "Directus has Improper Permission Handling on Deleted Fields",
    "source": "GitHub_M",
    "references": "https://github.com/directus/directus/security/advisories/GHSA-9x5g-62gj-wqf2\nhttps://github.com/directus/directus/commit/84d7636969083387164ce5d2fd15a65e11e2d0b8",
    "id": "CVE-2025-64746",
    "bulletinFamily": "",
    "cwe": [
        "CWE-284",
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "directus directus < 11.13.0",
    "sourceHref": "",
    "cvss": {
        "score": 4.6,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "directus",
    "version": "< 11.13.0",
    "vendor": "directus",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}