Cybersecurity Vulnerabilities

CVE-2025-64748: Directus Sensitive Data at Risk – Patch Immediately!

November 14, 2025 - By 

Overview

CVE-2025-64748 identifies a medium severity vulnerability in Directus, a real-time API and App dashboard used for managing SQL database content. Specifically, versions prior to 11.13.0 are susceptible to a sensitive data enumeration vulnerability. Authenticated users with read permissions can exploit this flaw to potentially identify the existence of records matching concealed/sensitive field values, even though the actual values are masked.

Technical Details

The vulnerability stems from the ability to search across all fields, including those designated as concealed or sensitive. While the values themselves are masked (displayed as `****`), the system still returns records that match the search criteria. This allows an attacker to iteratively refine searches and determine if a record exists with specific characteristics based on the masked sensitive data. This behavior enables enumeration attacks on sensitive data that should otherwise be protected.

CVSS Analysis

  • CVSS Score: 6.5 (Medium)
  • This score indicates a moderate level of risk. While direct access to the sensitive data is not immediately available, the ability to enumerate records based on these fields presents a significant security concern.

Possible Impact

Successful exploitation of this vulnerability could lead to:

  • Data Exposure: Even without revealing the exact values, attackers can confirm the presence of data that matches specific criteria.
  • Information Gathering: Attackers can gather information about the structure and content of the database, which can be used for further attacks.
  • Compliance Violations: Exposing metadata related to sensitive data can violate data privacy regulations.

Mitigation and Patch Steps

The recommended mitigation is to upgrade your Directus instance to version 11.13.0 or later. This version contains a fix that prevents searching against masked fields, effectively eliminating the enumeration vulnerability.

  1. Backup Your Data: Before performing any upgrade, create a complete backup of your Directus database and application files.
  2. Upgrade Directus: Follow the official Directus upgrade documentation to upgrade your instance to version 11.13.0 or later.
  3. Verify the Fix: After upgrading, thoroughly test the search functionality to ensure that masked fields are no longer searchable.
  4. Monitor Logs: Continuously monitor your Directus logs for any suspicious activity.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *