6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-64748

GHSA ID

GHSA-8jpw-gpr4-8cmh

EPSS Score

CWE

CWE-201

Published

11/13/2025

Updated

11/13/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-64748

CVE-2025-64748: Directus's conceal fields are searchable if read permissions enabled

Summary

A vulnerability allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (****), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data.

Details

The system permits search operations on concealed fields in the directus_users collection, including token, tfa_secret, password. Matching records are returned with masked values, but their presence confirms the searched value exists.

The "Recommended Defaults" for "App Access" grant users full read permissions to their role/user records, inadvertently enabling them to search for any user's tokens, TFA secrets, and password hashes. Attackers can leverage known password hashes from breach databases to identify accounts with compromised passwords.

Impact

This vulnerability enables:

Token enumeration - Verification of valid authentication tokens
Password hash matching - Identification of accounts using known compromised passwords
Information disclosure - Confirmation of sensitive value existence without viewing actual data
Increased attack surface - Default permissions automatically expose all deployments using recommended settings

The risk is particularly high for password fields, where attackers can cross-reference publicly available hash databases to identify vulnerable accounts.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-64748

CVE-2025-64748:

6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-64748

GHSA ID

GHSA-8jpw-gpr4-8cmh

EPSS Score

CWE

CWE-201

Published

11/13/2025

Updated

11/13/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
directus	npm	< 11.13.0	11.13.0
@directus/api	npm	< 32.0.0	32.0.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided security advisory and the associated commit 7737d56e096f95edfbdf861a3c08999ad31ce204 points directly to a flaw in how search queries were constructed. The vulnerability description explains that concealed fields were searchable if a user had read permissions, allowing for data enumeration. The commit patch modifies the api/src/database/run-ast/lib/apply-query/search.ts file, specifically within the applySearch function. The change involves adding a condition to the filter that prepares the list of fields to be searched. The added condition, && field.special.includes('conceal') !== true, explicitly removes fields marked as 'conceal' from the search operation. This directly mitigates the described vulnerability. Therefore, the applySearch function is identified as the vulnerable function because it was responsible for including sensitive, concealed fields in the search logic.

Vulnerable functions

applySearch

api/src/database/run-ast/lib/apply-query/search.ts

The vulnerability lies in the `applySearch` function, which is responsible for constructing search queries. Prior to the patch, this function did not correctly filter out fields with the 'conceal' special flag. As a result, if a user had read permissions on a collection, they could perform search queries against concealed fields (like passwords or tokens). While the actual values of these fields would be masked in the results, the return of a record would confirm that the searched value exists. This allowed for an enumeration attack to validate sensitive data like tokens or password hashes. The patch corrects this by adding a filter to explicitly exclude fields where `field.special` contains 'conceal' from being included in the search.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-64748: Directus's conceal fields are searchable if read permissions enabled

Summary

Details

Impact

CVE-2025-64748:

6.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

6.5

6.5

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2025-64748: Directus's conceal fields are searchable if read permissions enabled

Summary

Details

Impact

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI