CVE-2025-64749
📋 TL;DR
This CVE describes an information disclosure vulnerability in Directus where unauthorized users can determine whether specific database collections exist by observing different error messages. Attackers can enumerate collection names even without access permissions, potentially revealing sensitive data structures. All Directus instances prior to version 11.13.0 are affected.
💻 Affected Systems
- Directus
📦 What is this software?
Directus by Monospace
⚠️ Risk & Real-World Impact
Worst Case
Attackers could map the entire database structure, identify sensitive collections (like user data, financial records), and use this reconnaissance for targeted attacks on specific data types.
Likely Case
Unauthorized users discover collection names they shouldn't know about, potentially revealing business logic, data organization, or sensitive table structures.
If Mitigated
With proper authentication and authorization controls, attackers still learn collection names but cannot access the actual data.
🎯 Exploit Status
Exploitation requires API access but no specific permissions. Attackers simply need to send requests to different collection names and observe error message differences.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.13.0
Vendor Advisory: https://github.com/directus/directus/security/advisories/GHSA-cph6-524f-3hgr
Restart Required: Yes
Instructions:
1. Update Directus to version 11.13.0 or later. 2. Restart the Directus service. 3. Verify the fix by testing the /items/{collection} endpoint with unauthorized access attempts.
🔧 Temporary Workarounds
Implement custom error handling middleware
allCreate middleware that normalizes error responses for unauthorized collection access attempts
Implement custom Express middleware to intercept API responses and standardize error messages
Rate limit collection enumeration attempts
allAdd rate limiting to the /items/{collection} endpoint to slow down enumeration
Configure rate limiting for /items/* endpoints in your reverse proxy or application
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to detect and block collection enumeration patterns
- Add authentication requirements for all API endpoints and monitor for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Test the /items/{collection} endpoint with two requests: one to an existing collection you lack permissions for, and one to a non-existent collection. Compare error messages.Check Version:
Check package.json for Directus version or run: npx directus versionVerify Fix Applied:
After updating to 11.13.0+, test the same scenarios. Both should return identical error messages regardless of collection existence.📡 Detection & Monitoring
Log Indicators:
- Multiple 403/404 errors from same IP to /items/{collection} with different collection names
- Pattern of failed collection access attempts
Network Indicators:
- Unusual volume of GET requests to /items/{collection} endpoint with varying collection names
SIEM Query:
source="directus" AND (uri_path="/items/*" AND status_code IN (403,404)) | stats count by src_ip, uri_path