GHSA-cph6-524f-3hgr

Source

https://github.com/advisories/GHSA-cph6-524f-3hgr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-cph6-524f-3hgr/GHSA-cph6-524f-3hgr.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-cph6-524f-3hgr

Aliases

CVE-2025-64749

Published

2025-11-13T23:07:31Z

Modified

2025-11-14T01:00:38.493918Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Directus Vulnerable to Information Leakage in Existing Collections

Details

Summary:

An observable difference in error messaging was found in the Directus REST API. The /items/{collection} API returns different error messages for these two cases: 1. A user tries to access an existing collection which they are not authorized to access. 2. A user tries to access a non-existing collection.

The two differing error messages leak the existence of collections to users which are not authorized to access these collections.

Details:

The following response returns an error message, when requesting a collection the user is not authorized to access.

GET /items/no-access
{
  "errors": [
    {
      "message": "You don't have permission to access collection \"no-access\" or it does not exist. Queried in root.",
      "extensions": {
        "reason": "You don't have permission to access collection \"no-access\" or it does not exist. Queried in root.",
        "code": "FORBIDDEN"
      }
    }
  ]
}

The following response returns a different error message when requesting a collection which does not exist.

GET /items/does-not-exist
{
  "errors": [
    {
      "message": "You don't have permission to access this.",
      "extensions": {
        "code": "FORBIDDEN"
      }
    }
  ]
}

Impact:

The difference in errors between non-existent collections and collections blocked by permissions leak the existence of a collection to a user which is not authorized to access this object.

Credit:

Sebastian Krause - Hackmanit GmbH

Database specific

{
    "cwe_ids": [
        "CWE-203",
        "CWE-209"
    ],
    "nvd_published_at": null,
    "github_reviewed_at": "2025-11-13T23:07:31Z",
    "severity": "MODERATE",
    "github_reviewed": true
}

References

Affected packages

npm / directus

Package

Name: directus; View open source insights on deps.dev
Purl: pkg:npm/directus

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

11.13.0

npm / @directus/api

Package

Name: @directus/api; View open source insights on deps.dev
Purl: pkg:npm/%40directus/api

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

32.0.0