SecuriTricks - CVE-2025-64746

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table remains intact. This stale reference creates a security gap: if another field is later created using the same name, it inherits the outdated permission entry. This behavior can unintentionally grant roles access to data they should not be able to read or modify. The issue is particularly risky in multi-tenant or production environments, where administrators may reuse field names, assuming old permissions have been fully cleared. Version 11.13.0 fixes the issue.

Product(s) Impacted

Vendor	Product	Versions
Directus	Directus	<11.13.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	directus	directus	<11.13.0	/	/	/	/	/	/	/

References

https://github.com/directus/directus/commit/84d7636969083387164ce5d2fd15a65e11e2d0b8

https://github.com/directus/directus/security/advisories/GHSA-9x5g-62gj-wqf2

CVSS Score

4.6 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: LOW
Scope: UNCHANGED
Confidentiality Impact: LOW
Integrity Impact: LOW
Availability Impact: NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

View Vector String

Timeline

Published: Nov. 13, 2025, 9:15 p.m.
Last Modified: Nov. 14, 2025, 4:42 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

CVE-2025-64746