CVE-2025-64746

13.11.2025, 21:15

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table remains intact. This stale reference creates a security gap: if another field is later created using the same name, it inherits the outdated permission entry. This behavior can unintentionally grant roles access to data they should not be able to read or modify. The issue is particularly risky in multi-tenant or production environments, where administrators may reuse field names, assuming old permissions have been fully cleared. Version 11.13.0 fixes the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.6 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
GitHub_M	CNA	4.6 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CISA-ADP	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-284 - Improper Access Control
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References

https://github.com/directus/directus/commit/84d7636969083387164ce5d2fd15a65e11e2d0b8

https://github.com/directus/directus/security/advisories/GHSA-9x5g-62gj-wqf2