CVE-2025-64749
Directus Vulnerable to Information Leakage in Existing Collections
Description
### Summary: An observable difference in error messaging was found in the Directus REST API. The `/items/{collection}` API returns different error messages for these two cases: 1. A user tries to access an existing collection which they are not authorized to access. 2. A user tries to access a non-existing collection. The two differing error messages leak the existence of collections to users which are not authorized to access these collections. ### Details: The following response returns an error message, when requesting a collection the user is not authorized to access. ``` GET /items/no-access { "errors": [ { "message": "You don't have permission to access collection \"no-access\" or it does not exist. Queried in root.", "extensions": { "reason": "You don't have permission to access collection \"no-access\" or it does not exist. Queried in root.", "code": "FORBIDDEN" } } ] } ``` The following response returns a different error message when requesting a collection which does not exist. ``` GET /items/does-not-exist { "errors": [ { "message": "You don't have permission to access this.", "extensions": { "code": "FORBIDDEN" } } ] } ``` ### Impact: The difference in errors between non-existent collections and collections blocked by permissions leak the existence of a collection to a user which is not authorized to access this object. ### Credit: Sebastian Krause - [Hackmanit GmbH](https://hackmanit.de)
How to fix CVE-2025-64749
To remediate CVE-2025-64749, upgrade the affected package to a fixed version below.
- —upgrade to 11.13.0 or later
- —upgrade to 32.0.0 or later
Is CVE-2025-64749 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.