CVE-2025-30352

26.03.2025, 18:15

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0-alpha.4 and prior to version 11.5.0, the `search` query parameter allows users with access to a collection to filter items based on fields they do not have permission to view. This allows the enumeration of unknown field contents. The searchable columns (numbers & strings) are not checked against permissions when injecting the `where` clauses for applying the search query. This leads to the possibility of enumerating those un-permitted fields. Version 11.5.0 fixes the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
GitHub_M	CNA	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 11%

Vendor	Product	Version
monospace	directus	9.0.1 ≤ 𝑥 < 11.5.0
monospace	directus	9.0.0:alpha10
monospace	directus	9.0.0:alpha11
monospace	directus	9.0.0:alpha12
monospace	directus	9.0.0:alpha13
monospace	directus	9.0.0:alpha14
monospace	directus	9.0.0:alpha15
monospace	directus	9.0.0:alpha16
monospace	directus	9.0.0:alpha17
monospace	directus	9.0.0:alpha18
monospace	directus	9.0.0:alpha19
monospace	directus	9.0.0:alpha20
monospace	directus	9.0.0:alpha21
monospace	directus	9.0.0:alpha22
monospace	directus	9.0.0:alpha23
monospace	directus	9.0.0:alpha24
monospace	directus	9.0.0:alpha25
monospace	directus	9.0.0:alpha26
monospace	directus	9.0.0:alpha27
monospace	directus	9.0.0:alpha31
monospace	directus	9.0.0:alpha32
monospace	directus	9.0.0:alpha33
monospace	directus	9.0.0:alpha34
monospace	directus	9.0.0:alpha35
monospace	directus	9.0.0:alpha36
monospace	directus	9.0.0:alpha37
monospace	directus	9.0.0:alpha38
monospace	directus	9.0.0:alpha39
monospace	directus	9.0.0:alpha4
monospace	directus	9.0.0:alpha40
monospace	directus	9.0.0:alpha41
monospace	directus	9.0.0:alpha42
monospace	directus	9.0.0:alpha5
monospace	directus	9.0.0:alpha6
monospace	directus	9.0.0:alpha7
monospace	directus	9.0.0:alpha8
monospace	directus	9.0.0:alpha9
monospace	directus	9.0.0:beta0
monospace	directus	9.0.0:beta1
monospace	directus	9.0.0:beta10
monospace	directus	9.0.0:beta11
monospace	directus	9.0.0:beta12
monospace	directus	9.0.0:beta13
monospace	directus	9.0.0:beta14
monospace	directus	9.0.0:beta2
monospace	directus	9.0.0:beta3
monospace	directus	9.0.0:beta4
monospace	directus	9.0.0:beta5
monospace	directus	9.0.0:beta7
monospace	directus	9.0.0:beta8
monospace	directus	9.0.0:beta9
monospace	directus	9.0.0:rc0
monospace	directus	9.0.0:rc1
monospace	directus	9.0.0:rc10
monospace	directus	9.0.0:rc100
monospace	directus	9.0.0:rc101
monospace	directus	9.0.0:rc11
monospace	directus	9.0.0:rc12
monospace	directus	9.0.0:rc13
monospace	directus	9.0.0:rc14
monospace	directus	9.0.0:rc15
monospace	directus	9.0.0:rc17
monospace	directus	9.0.0:rc18
monospace	directus	9.0.0:rc19
monospace	directus	9.0.0:rc2
monospace	directus	9.0.0:rc20
monospace	directus	9.0.0:rc21
monospace	directus	9.0.0:rc22
monospace	directus	9.0.0:rc23
monospace	directus	9.0.0:rc24
monospace	directus	9.0.0:rc25
monospace	directus	9.0.0:rc26
monospace	directus	9.0.0:rc27
monospace	directus	9.0.0:rc28
monospace	directus	9.0.0:rc29
monospace	directus	9.0.0:rc3
monospace	directus	9.0.0:rc30
monospace	directus	9.0.0:rc31
monospace	directus	9.0.0:rc32
monospace	directus	9.0.0:rc33
monospace	directus	9.0.0:rc34
monospace	directus	9.0.0:rc35
monospace	directus	9.0.0:rc36
monospace	directus	9.0.0:rc37
monospace	directus	9.0.0:rc38
monospace	directus	9.0.0:rc39
monospace	directus	9.0.0:rc4
monospace	directus	9.0.0:rc40
monospace	directus	9.0.0:rc41
monospace	directus	9.0.0:rc42
monospace	directus	9.0.0:rc43
monospace	directus	9.0.0:rc44
monospace	directus	9.0.0:rc45
monospace	directus	9.0.0:rc46
monospace	directus	9.0.0:rc47
monospace	directus	9.0.0:rc48
monospace	directus	9.0.0:rc49
monospace	directus	9.0.0:rc5
monospace	directus	9.0.0:rc50
monospace	directus	9.0.0:rc51
monospace	directus	9.0.0:rc52
monospace	directus	9.0.0:rc53
monospace	directus	9.0.0:rc54
monospace	directus	9.0.0:rc55
monospace	directus	9.0.0:rc56
monospace	directus	9.0.0:rc57
monospace	directus	9.0.0:rc58
monospace	directus	9.0.0:rc59
monospace	directus	9.0.0:rc6
monospace	directus	9.0.0:rc60
monospace	directus	9.0.0:rc61
monospace	directus	9.0.0:rc62
monospace	directus	9.0.0:rc63
monospace	directus	9.0.0:rc64
monospace	directus	9.0.0:rc65
monospace	directus	9.0.0:rc66
monospace	directus	9.0.0:rc67
monospace	directus	9.0.0:rc68
monospace	directus	9.0.0:rc69
monospace	directus	9.0.0:rc7
monospace	directus	9.0.0:rc70
monospace	directus	9.0.0:rc71
monospace	directus	9.0.0:rc72
monospace	directus	9.0.0:rc73
monospace	directus	9.0.0:rc74
monospace	directus	9.0.0:rc75
monospace	directus	9.0.0:rc76
monospace	directus	9.0.0:rc77
monospace	directus	9.0.0:rc78
monospace	directus	9.0.0:rc79
monospace	directus	9.0.0:rc8
monospace	directus	9.0.0:rc80
monospace	directus	9.0.0:rc81
monospace	directus	9.0.0:rc82
monospace	directus	9.0.0:rc83
monospace	directus	9.0.0:rc84
monospace	directus	9.0.0:rc85
monospace	directus	9.0.0:rc86
monospace	directus	9.0.0:rc87
monospace	directus	9.0.0:rc88
monospace	directus	9.0.0:rc89
monospace	directus	9.0.0:rc9
monospace	directus	9.0.0:rc90
monospace	directus	9.0.0:rc91
monospace	directus	9.0.0:rc92
monospace	directus	9.0.0:rc93
monospace	directus	9.0.0:rc94
monospace	directus	9.0.0:rc95
monospace	directus	9.0.0:rc96
monospace	directus	9.0.0:rc97
monospace	directus	9.0.0:rc98
monospace	directus	9.0.0:rc99

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

https://github.com/directus/directus/commit/ac5a9964d9926f20dc063a74cb417dc7bbad676d

https://github.com/directus/directus/security/advisories/GHSA-7wq3-jr35-275c