4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-64749

GHSA ID

GHSA-cph6-524f-3hgr

EPSS Score

CWE

CWE-203

Published

11/13/2025

Updated

11/13/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-64749

CVE-2025-64749: Directus Vulnerable to Information Leakage in Existing Collections

Summary:

An observable difference in error messaging was found in the Directus REST API. The /items/{collection} API returns different error messages for these two cases:

A user tries to access an existing collection which they are not authorized to access.
A user tries to access a non-existing collection.

The two differing error messages leak the existence of collections to users which are not authorized to access these collections.

Details:

The following response returns an error message, when requesting a collection the user is not authorized to access.

GET /items/no-access
{
  "errors": [
    {
      "message": "You don't have permission to access collection \"no-access\" or it does not exist. Queried in root.",
      "extensions": {
        "reason": "You don't have permission to access collection \"no-access\" or it does not exist. Queried in root.",
        "code": "FORBIDDEN"
      }
    }
  ]
}

The following response returns a different error message when requesting a collection which does not exist.

GET /items/does-not-exist
{
  "errors": [
    {
      "message": "You don't have permission to access this.",
      "extensions": {
        "code": "FORBIDDEN"
      }
    }
  ]
}

Impact:

The difference in errors between non-existent collections and collections blocked by permissions leak the existence of a collection to a user which is not authorized to access this object.

Credit:

Sebastian Krause - Hackmanit GmbH

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-64749

CVE-2025-64749:

4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-64749

GHSA ID

GHSA-cph6-524f-3hgr

EPSS Score

CWE

CWE-203

Published

11/13/2025

Updated

11/13/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
directus	npm	< 11.13.0	11.13.0
@directus/api	npm	< 32.0.0	32.0.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in an observable difference in error messages returned by the Directus REST API when a user attempts to access a collection. A different error message was returned for a non-existent collection compared to an existing collection for which the user lacks permissions. This allowed an unauthenticated user to enumerate the names of collections in the Directus instance.

The analysis of the patch commit f99c9b89071f9d136cc9b0d0c182f2d24542bc31 reveals changes in three key files that were responsible for generating these inconsistent error messages:

api/src/middleware/collection-exists.ts: The collectionExists middleware would throw a generic ForbiddenError when a requested collection did not exist.
api/src/permissions/modules/process-payload/process-payload.ts: The processPayload function would throw a more specific ForbiddenError with a detailed reason when a user lacked permissions for an action on an existing collection.
api/src/permissions/modules/validate-access/validate-access.ts: Similarly, the validateAccess function would generate a specific error message for permission failures on existing collections.

The patch rectifies this by introducing a centralized function, createCollectionForbiddenError, which generates a consistent error message regardless of whether the collection exists or the user simply lacks permission. By replacing the distinct ForbiddenError instantiations in the identified vulnerable functions, the patch eliminates the information leakage vector.

Vulnerable functions

collectionExists

api/src/middleware/collection-exists.ts

This function is a middleware that checks if a collection exists. Before the patch, it would throw a generic `ForbiddenError` if the collection did not exist. This error was different from the one thrown when a user tried to access an existing collection they were not authorized for, thus leaking the existence of collections.

processPayload

api/src/permissions/modules/process-payload/process-payload.ts

This function processes the payload for an API request and checks for permissions. When a user without permissions tried to perform an action on an existing collection, this function would throw a `ForbiddenError` with a detailed message. This message was different from the error for a non-existent collection, which allowed an attacker to determine if a collection exists.

validateAccess

api/src/permissions/modules/validate-access/validate-access.ts

This function validates a user's access to a collection. If the collection didn't exist, it would throw a `ForbiddenError` with a specific message indicating the user doesn't have permission or the collection doesn't exist. This error message was different from the one for a truly non-existent collection, leading to an information leak about the existence of collections.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-64749: Directus Vulnerable to Information Leakage in Existing Collections

Summary:

Details:

Impact:

Credit:

CVE-2025-64749:

4.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

4.3

4.3

Technical Details

CVE-2025-64749: Directus Vulnerable to Information Leakage in Existing Collections

Summary:

Details:

Impact:

Credit:

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI