CVE-2025-64749

Name of the Vulnerable Software and Affected Versions Directus versions prior to 11.13.0

Description Directus REST API exhibits differing error messages when accessing existing but unauthorized collections versus non-existent collections via the /items/{collection} API endpoint. This discrepancy leaks information about the existence of collections to unauthorized users. The collection variable in the API endpoint is a key component of this issue. Specifically, when a user attempts to access a collection they lack permission for, the error message indicates the collection exists, while a request for a non-existent collection yields a different error message.

Recommendations Versions prior to 11.13.0 should be updated to version 11.13.0 or later.