Moderate severityNVD Advisory· Published Nov 13, 2025· Updated Nov 13, 2025
Directus's conceal fields are searchable if read permissions enabled
CVE-2025-64748
Description
Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (****), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data. Version 11.13.0 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
directusnpm | < 11.13.0 | 11.13.0 |
@directus/apinpm | < 32.0.0 | 32.0.0 |
Affected products
3- ghsa-coords2 versions
< 32.0.0+ 1 more
- (no CPE)range: < 32.0.0
- (no CPE)range: < 11.13.0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-8jpw-gpr4-8cmhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64748ghsaADVISORY
- github.com/directus/directus/commit/7737d56e096f95edfbdf861a3c08999ad31ce204ghsax_refsource_MISCWEB
- github.com/directus/directus/security/advisories/GHSA-8jpw-gpr4-8cmhghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.