CVE-2025-64746 – A permission inheritance vulnerability in Direc... (How to Fix)

Q: What is the severity of CVE-2025-64746?

CVE-2025-64746 has a CVSS score of 4.6 (MEDIUM). A permission inheritance vulnerability in Directus allows stale field-level permissions to persist after field deletion. When a deleted field's name is reused for a new field, the new field inherits outdated permissions, potentially granting unauthorized data access. This affects all Directus installations prior to version 11.13.0.

📋 TL;DR

A permission inheritance vulnerability in Directus allows stale field-level permissions to persist after field deletion. When a deleted field's name is reused for a new field, the new field inherits outdated permissions, potentially granting unauthorized data access. This affects all Directus installations prior to version 11.13.0.

💻 Affected Systems

Products:

Directus

Versions: All versions prior to 11.13.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations where field-level permissions are used and fields are deleted/renamed.

📦 What is this software?

Directus by Monospace

View all CVEs affecting Directus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrators unintentionally grant excessive read/write permissions to roles, leading to data exposure or unauthorized modifications in sensitive collections.

🟠

Likely Case

Field name reuse in development or multi-tenant environments causes permission misconfigurations, allowing unintended data access.

🟢

If Mitigated

With strict field naming policies and permission audits, the risk is limited to configuration errors.

🌐 Internet-Facing: MEDIUM - Exploitation requires authenticated access but could impact web-accessible APIs.

🏢 Internal Only: MEDIUM - Internal administrators could inadvertently create permission gaps through normal field management.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated administrative access to delete/create fields and relies on field name reuse.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.13.0

Vendor Advisory: https://github.com/directus/directus/security/advisories/GHSA-9x5g-62gj-wqf2

Restart Required: Yes

Instructions:

1. Backup your Directus database and files. 2. Update Directus to version 11.13.0 or later via package manager or manual installation. 3. Restart the Directus service. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Manual Permission Cleanup

all

Manually remove stale permission entries from the database after field deletions.

DELETE FROM directus_permissions WHERE field = 'deleted_field_name';

Field Naming Policy

all

Implement strict field naming conventions to avoid reusing deleted field names.

🧯 If You Can't Patch

Audit all field-level permissions and manually clean up entries for deleted fields.
Implement monitoring for permission table changes and field creation/deletion events.

🔍 How to Verify

Check if Vulnerable:

Check your Directus version. If it's below 11.13.0, you are vulnerable.

Check Version:

npx directus version

Verify Fix Applied:

After updating to 11.13.0+, test by creating/deleting a field with permissions and verifying permissions are properly cleaned up.

📡 Detection & Monitoring

Log Indicators:

Unusual permission changes in audit logs
Field deletion events without corresponding permission cleanup

Network Indicators:

Unexpected API responses showing data that should be restricted

SIEM Query:

event_source="directus" AND (event_type="field_deleted" OR event_type="permission_modified")

📊 Metadata

CVE ID: CVE-2025-64746

CVSS v3 Score: 4.6 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CWE: CWE-284

EPSS Score: 0.04% exploit probability (11.5th percentile)

Published: November 13, 2025

Last Updated: December 8, 2025

🔗 References

https://github.com/directus/directus/commit/84d7636969083387164ce5d2fd15a65e11e2d0b8 Patch
https://github.com/directus/directus/security/advisories/GHSA-9x5g-62gj-wqf2 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64746, you might also want to check these: