CVE-2025-64748
📋 TL;DR
This vulnerability in Directus allows authenticated users with read permissions to detect matches in concealed/sensitive fields through search functionality, enabling enumeration attacks. While actual values remain masked as asterisks, attackers can infer sensitive information by observing which records are returned. This affects all Directus instances running versions prior to 11.13.0.
💻 Affected Systems
- Directus
📦 What is this software?
Directus by Monospace
⚠️ Risk & Real-World Impact
Worst Case
Attackers could enumerate sensitive data such as hidden email addresses, internal identifiers, or other concealed fields, potentially leading to data exposure, privacy violations, or reconnaissance for further attacks.
Likely Case
Authenticated users with read permissions could discover which records contain specific sensitive values, enabling them to map relationships or identify specific targets within the database.
If Mitigated
With proper access controls and monitoring, the impact is limited to information disclosure about record existence rather than actual data values.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of the search functionality. The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.13.0
Vendor Advisory: https://github.com/directus/directus/security/advisories/GHSA-8jpw-gpr4-8cmh
Restart Required: Yes
Instructions:
1. Backup your Directus instance and database. 2. Update Directus to version 11.13.0 or later using your package manager (npm/yarn). 3. Restart the Directus service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Search Permissions
allTemporarily remove search capabilities from users who don't absolutely need them, particularly for collections containing sensitive fields.
Audit User Permissions
allReview and tighten read permissions for all users, ensuring only necessary access to sensitive collections.
🧯 If You Can't Patch
- Implement strict access controls to limit which users can search sensitive collections
- Monitor search logs for unusual patterns or repeated queries against sensitive fields
🔍 How to Verify
Check if Vulnerable:
Check your Directus version. If it's below 11.13.0 and you have authenticated users with read permissions, you are vulnerable.Check Version:
npm list directus | grep directus (or check package.json)Verify Fix Applied:
After updating to 11.13.0 or later, test that searches on concealed fields no longer return records when matches are found (should return empty results).📡 Detection & Monitoring
Log Indicators:
- Unusual search patterns against concealed fields
- Repeated search queries with similar parameters
- High volume of search requests from single users
Network Indicators:
- Increased API calls to search endpoints
- Patterns of search requests targeting specific field names
SIEM Query:
source="directus" AND (event="search" OR endpoint="/items/*") AND (field_name="*sensitive*" OR field_name="*concealed*")