Moderate severityNVD Advisory· Published Nov 13, 2025· Updated Nov 13, 2025

Directus's conceal fields are searchable if read permissions enabled

CVE-2025-64748

Description

Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (****), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data. Version 11.13.0 fixes the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
directusnpm	< 11.13.0	11.13.0
@directus/apinpm	< 32.0.0	32.0.0

Affected products

Monospace/Directusv5
Range: < 11.13.0

Patches

7737d56e096f

Merge from fork (#26111)

https://github.com/directus/directusBrainslugNov 4, 2025via ghsa

commit

3 files changed · +33 −1

api/src/database/run-ast/lib/apply-query/search.test.ts+27 −0 modified

@@ -12,6 +12,12 @@ const schema = new SchemaBuilder()
 		c.field('string').string();
 		c.field('float').float();
 		c.field('integer').integer();
+
+		c.field('secret')
+			.string()
+			.options({
+				special: ['conceal'],
+			});
 	})
 	.build();
 
@@ -118,6 +124,27 @@ test(`Remove forbidden field(s) from search`, async () => {
 	expect(rawQuery.bindings).toEqual(['%directus%']);
 });
 
+test(`Remove "conceal" field(s) from search irrespective of permissions`, async () => {
+	const db = vi.mocked(knex.default({ client: Client_SQLite3 }));
+	const queryBuilder = db.queryBuilder();
+
+	applySearch(db as any, schema, queryBuilder, 'directus', 'test', {}, [
+		{
+			collection: 'test',
+			action: 'read',
+			fields: ['text', 'string', 'secret'],
+			permissions: {
+				text: {},
+			},
+		} as unknown as Permission,
+	]);
+
+	const rawQuery = queryBuilder.toSQL();
+
+	expect(rawQuery.sql).toEqual(`select * where ((LOWER("test"."text") LIKE ?) or (LOWER("test"."string") LIKE ?))`);
+	expect(rawQuery.bindings).toEqual(['%directus%', '%directus%']);
+});
+
 test(`Add all fields for * field rule`, async () => {
 	const db = vi.mocked(knex.default({ client: Client_SQLite3 }));
 	const queryBuilder = db.queryBuilder();

api/src/database/run-ast/lib/apply-query/search.ts+1 −1 modified

@@ -25,7 +25,7 @@ export function applySearch(
 	let fields = Object.entries(schema.collections[collection]!.fields);
 
 	// filter out fields that are not searchable
-	fields = fields.filter(([_name, field]) => field.searchable !== false);
+	fields = fields.filter(([_name, field]) => field.searchable !== false && field.special.includes('conceal') !== true);
 
 	const { cases, caseMap } = getCases(collection, permissions, []);

.changeset/calm-donkeys-greet.md+5 −0 added

@@ -0,0 +1,5 @@
+---
+'@directus/api': patch
+---
+
+Updated searchable fields

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-8jpw-gpr4-8cmhghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-64748ghsaADVISORY
github.com/directus/directus/commit/7737d56e096f95edfbdf861a3c08999ad31ce204ghsax_refsource_MISCWEB
github.com/directus/directus/security/advisories/GHSA-8jpw-gpr4-8cmhghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000