CVE-2025-64748

Name of the Vulnerable Software and Affected Versions Directus versions prior to 11.13.0

Description Directus allows authenticated users to search concealed or sensitive fields when they have read permissions. While the actual values are masked, successful matches can be detected through returned records, enabling enumeration attacks on sensitive data. The vulnerability affects fields like token, tfa secret, and password within the directus users collection. Attackers can potentially verify valid authentication tokens, identify accounts using known compromised passwords, and confirm the existence of sensitive values. The default application access permissions can automatically expose deployments using recommended settings.

Recommendations Update to Directus version 11.13.0 or later.