CVE-2025-64748
BaseFortify
Publication date: 2025-11-13
Last updated on: 2025-12-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| monospace | directus | to 11.13.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Directus versions prior to 11.13.0 allows authenticated users with read permissions to search concealed or sensitive fields. Although the actual values remain masked (shown as ****), users can detect successful matches through the returned records, enabling enumeration attacks on sensitive data.
How can this vulnerability impact me? :
The vulnerability can allow an attacker with read access to infer sensitive information by enumerating concealed fields, potentially exposing confidential data indirectly despite masking, which could lead to data leakage or unauthorized data inference.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Directus to version 11.13.0 or later, as this version fixes the vulnerability allowing authenticated users to search concealed/sensitive fields improperly.