CVE-2025-64748

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-64748

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64748.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-64748

Aliases

GHSA-8jpw-gpr4-8cmh

Published

2025-11-13T21:29:44.649Z

Modified

2026-04-02T13:00:03.089476Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Directus's conceal fields are searchable if read permissions enabled

Details

Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (****), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data. Version 11.13.0 fixes the issue.

Database specific

{
    "cwe_ids": [
        "CWE-201"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64748.json"
}

References

Affected packages

Git / github.com/directus/directus

Affected ranges

Type: GIT
Repo: https://github.com/directus/directus
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

79b0648d4f0326b053a9a7dd7e020a8e12205fc1

Affected versions

10.*

10.11.2

v10.*

v10.0.0

v10.1.0

v10.1.1

v10.10.0

v10.10.1

v10.10.2

v10.10.3

v10.10.4

v10.10.5

v10.10.6

v10.10.7

v10.11.0

v10.11.1

v10.11.2

v10.12.0

v10.12.1

v10.13.0

v10.13.1

v10.13.2

v10.13.3

v10.13.4

v10.2.0

v10.2.1

v10.3.0

v10.4.0

v10.4.2

v10.4.3

v10.5.0

v10.5.1

v10.5.2

v10.5.3

v10.6.0

v10.6.1

v10.6.2

v10.6.3

v10.6.4

v10.7.0

v10.7.0-beta.0

v10.7.1

v10.7.2

v10.8.0

v10.8.1

v10.8.2

v10.8.3

v10.9.0

v10.9.1

v10.9.2

v10.9.3

v11.*

v11.0.0

v11.0.0-rc.1

v11.0.0-rc.2

v11.0.0-rc.3

v11.0.1

v11.0.2

v11.1.0

v11.1.1

v11.1.2

v11.10.0

v11.10.1

v11.10.2

v11.11.0

v11.12.0

v11.2.0

v11.2.1

v11.2.2

v11.3.0

v11.3.1

v11.3.2

v11.3.3

v11.3.4

v11.3.5

v11.4.0

v11.4.1

v11.5.0

v11.5.1

v11.6.0

v11.6.1

v11.7.0

v11.7.1

v11.7.2

v11.8.0

v11.9.0

v11.9.1

v11.9.2

v11.9.3

v9.*

v9.0.0

v9.0.0-alpha.10

v9.0.0-alpha.11

v9.0.0-alpha.12

v9.0.0-alpha.13

v9.0.0-alpha.14

v9.0.0-alpha.15

v9.0.0-alpha.16

v9.0.0-alpha.17

v9.0.0-alpha.18

v9.0.0-alpha.19

v9.0.0-alpha.20

v9.0.0-alpha.21

v9.0.0-alpha.22

v9.0.0-alpha.23

v9.0.0-alpha.24

v9.0.0-alpha.25

v9.0.0-alpha.26

v9.0.0-alpha.27

v9.0.0-alpha.31

v9.0.0-alpha.32

v9.0.0-alpha.33

v9.0.0-alpha.34

v9.0.0-alpha.35

v9.0.0-alpha.36

v9.0.0-alpha.37

v9.0.0-alpha.38

v9.0.0-alpha.39

v9.0.0-alpha.4

v9.0.0-alpha.40

v9.0.0-alpha.41

v9.0.0-alpha.42

v9.0.0-alpha.5

v9.0.0-alpha.6

v9.0.0-alpha.7

v9.0.0-alpha.8

v9.0.0-alpha.9

v9.0.0-beta.0

v9.0.0-beta.1

v9.0.0-beta.10

v9.0.0-beta.11

v9.0.0-beta.12

v9.0.0-beta.13

v9.0.0-beta.14

v9.0.0-beta.2

v9.0.0-beta.3

v9.0.0-beta.4

v9.0.0-beta.5

v9.0.0-beta.7

v9.0.0-beta.8

v9.0.0-beta.9

v9.0.0-rc.0

v9.0.0-rc.1

v9.0.0-rc.10

v9.0.0-rc.100

v9.0.0-rc.101

v9.0.0-rc.11

v9.0.0-rc.12

v9.0.0-rc.13

v9.0.0-rc.14

v9.0.0-rc.15

v9.0.0-rc.17

v9.0.0-rc.18

v9.0.0-rc.19

v9.0.0-rc.2

v9.0.0-rc.20

v9.0.0-rc.21

v9.0.0-rc.22

v9.0.0-rc.23

v9.0.0-rc.24

v9.0.0-rc.25

v9.0.0-rc.26

v9.0.0-rc.27

v9.0.0-rc.28

v9.0.0-rc.29

v9.0.0-rc.3

v9.0.0-rc.30

v9.0.0-rc.31

v9.0.0-rc.32

v9.0.0-rc.33

v9.0.0-rc.34

v9.0.0-rc.35

v9.0.0-rc.36

v9.0.0-rc.37

v9.0.0-rc.38

v9.0.0-rc.39

v9.0.0-rc.4

v9.0.0-rc.40

v9.0.0-rc.41

v9.0.0-rc.42

v9.0.0-rc.43

v9.0.0-rc.44

v9.0.0-rc.45

v9.0.0-rc.46

v9.0.0-rc.47

v9.0.0-rc.48

v9.0.0-rc.49

v9.0.0-rc.5

v9.0.0-rc.50

v9.0.0-rc.51

v9.0.0-rc.52

v9.0.0-rc.53

v9.0.0-rc.54

v9.0.0-rc.55

v9.0.0-rc.56

v9.0.0-rc.57

v9.0.0-rc.58

v9.0.0-rc.59

v9.0.0-rc.6

v9.0.0-rc.60

v9.0.0-rc.61

v9.0.0-rc.62

v9.0.0-rc.63

v9.0.0-rc.64

v9.0.0-rc.65

v9.0.0-rc.66

v9.0.0-rc.67

v9.0.0-rc.68

v9.0.0-rc.69

v9.0.0-rc.7

v9.0.0-rc.70

v9.0.0-rc.71

v9.0.0-rc.72

v9.0.0-rc.73

v9.0.0-rc.74

v9.0.0-rc.75

v9.0.0-rc.76

v9.0.0-rc.77

v9.0.0-rc.78

v9.0.0-rc.79

v9.0.0-rc.8

v9.0.0-rc.80

v9.0.0-rc.81

v9.0.0-rc.82

v9.0.0-rc.83

v9.0.0-rc.84

v9.0.0-rc.85

v9.0.0-rc.86

v9.0.0-rc.87

v9.0.0-rc.88

v9.0.0-rc.89

v9.0.0-rc.9

v9.0.0-rc.90

v9.0.0-rc.91

v9.0.0-rc.92

v9.0.0-rc.93

v9.0.0-rc.94

v9.0.0-rc.95

v9.0.0-rc.96

v9.0.0-rc.97

v9.0.0-rc.98

v9.0.0-rc.99

v9.0.0-y.0

v9.0.1

v9.1.0

v9.1.1

v9.1.2

v9.10.0

v9.11.0

v9.11.1

v9.12.0

v9.12.1

v9.12.2

v9.13.0

v9.14.0

v9.14.1

v9.14.2

v9.14.3

v9.14.4

v9.14.5

v9.15.0

v9.15.1

v9.16.0

v9.16.1

v9.17.0

v9.17.1

v9.17.2

v9.17.3

v9.17.4

v9.18.0

v9.18.1

v9.19.0

v9.19.1

v9.19.2

v9.2.0

v9.2.1

v9.2.2

v9.20.0

v9.20.1

v9.20.2

v9.20.3

v9.20.4

v9.21.0

v9.21.1

v9.21.2

v9.22.0

v9.22.1

v9.22.2

v9.22.3

v9.22.4

v9.23.0

v9.23.1

v9.23.2

v9.23.3

v9.23.4

v9.24.0

v9.25.0

v9.25.1

v9.25.2

v9.26.0

v9.3.0

v9.4.0

v9.4.1

v9.4.2

v9.4.3

v9.5.0

v9.5.1

v9.5.2

v9.6.0

v9.7.0

v9.7.1

v9.8.0

v9.9.0

v9.9.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64748.json"