Cybersecurity Vulnerabilities

CVE-2025-64749: Directus Information Disclosure Vulnerability – Upgrade Now!

November 14, 2025 - By 

Overview

CVE-2025-64749 is an information disclosure vulnerability affecting Directus, a real-time API and App dashboard for managing SQL database content. Specifically, versions prior to 11.13.0 are vulnerable. This vulnerability allows unauthorized users to potentially determine the existence of specific collections within the Directus instance by observing subtle differences in error messages returned by the REST API. This can aid attackers in reconnaissance and potentially lead to further exploitation.

Technical Details

The vulnerability lies in the /items/{collection} API endpoint. Prior to version 11.13.0, Directus returned distinct error messages depending on whether a user attempted to access:

  • An existing collection that the user did not have authorization to access.
  • A non-existent collection.

The subtle difference in these error messages allowed an attacker to infer whether a collection name was valid, even without possessing the necessary permissions to view its contents. This “oracle” behavior allows enumeration of collection names. This information can be used to gather sensitive information about the database structure.

CVSS Analysis

The vulnerability has been assigned a CVSS score of 4.3 (Medium).

  • CVSS Score: 4.3
  • Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  • Explanation: This score reflects the fact that a low-privileged attacker can remotely (Network) access sensitive information (Confidentiality: Low) without requiring any user interaction. The attack complexity is low, and no privileges are required beyond a valid user account.

Possible Impact

The exploitation of CVE-2025-64749 could have the following consequences:

  • Information Disclosure: An attacker can enumerate collection names, potentially revealing sensitive database schema information.
  • Reconnaissance: The revealed information can be used to further refine attacks by targeting specific collections.
  • Increased Attack Surface: Knowing the collection names can increase the chances of successful exploitation of other vulnerabilities within the Directus instance.

Mitigation / Patch Steps

The recommended mitigation is to upgrade your Directus instance to version 11.13.0 or later. This version contains a fix that ensures consistent error messages are returned, regardless of whether the collection exists or the user lacks authorization.

  1. Backup your Directus instance: Before upgrading, create a backup of your database and Directus files.
  2. Upgrade Directus: Follow the official Directus upgrade documentation to upgrade to version 11.13.0 or later.
  3. Verify the fix: After upgrading, test the /items/{collection} API endpoint with different user roles and collection names to ensure consistent error messages.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *