CVE-2025-64748

Published November 13th, 2025

View on NVD ↗

CVSS v3

6.5

MEDIUM

CVSS v2

N/A

Affected

PROJECT

Description

Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data. Version 11.13.0 fixes the issue.

directus/directus

The flexible backend for all your projects 🐰 Turn your DB into a headless CMS, admin panels, or apps with a custom UI, instant APIs, auth & more.

GitHub

36.2K