# Directus < 11.13.0 – Improper Permission Handling on Deleted Fields (CVE-2025-64746)

**Author:** Beatriz Fresno Naumova (beafn28)

**Date:** 13/11/2025

**Vendor:** Directus

**Product:** Directus

**Versions affected:** < 11.13.0

**Component:** Field-level permissions handling (collections / permissions table)\
**CWE:**

* CWE-284 – Improper Access Control
* CWE-863 – Incorrect Authorization

**Attack type:** Remote

**Impact:** Unauthorized Access / Information Disclosure

### Description

Directus versions prior to 11.13.0 do not properly clean up field-level permissions when a field is deleted from a collection.\
When a field is removed, its corresponding entry in the permissions table remains intact. If a new field is later created using the same name, Directus automatically re-applies the stale permission entry to the new field.

This behavior can unintentionally grant roles access to data they should not be authorized to read or modify, resulting in improper access control.

### Impact

**Primary impact:** Unauthorized access to newly created fields due to inherited permissions.

**Consequences:**

* Accidental exposure of sensitive data
* Unauthorized read or modification of fields
* Increased risk in multi-tenant or production environments
* Security policy violations caused by permission reuse

### Attack Details

#### Proof of Concept (Logical Steps)

1. Create a collection named `test_collection`.
2. Add a field named `secret_field`.
3. Assign a role with read permissions specifically for `secret_field`.
4. Delete the `secret_field` from the collection.
5. Create a new field with the same name: `secret_field`.
6. Observe that the previously assigned permissions are automatically applied to the new field without reconfiguration.

### CVSS Details

* **Attack Vector (AV):** Network (N)
* **Attack Complexity (AC):** Low (L)
* **Privileges Required (PR):** Low (L)
* **User Interaction (UI):** Required (R)
* **Scope (S):** Unchanged (U)
* **Confidentiality (C):** Low (L)
* **Integrity (I):** Low (L)
* **Availability (A):** None (N)

**CNA CVSS v3.1 Vector (GitHub):**\
`CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N`

**CNA CVSS v3.1 Base Score:** 4.6 (Medium)

**NVD CVSS v3.1 Base Score:** 5.4 (Medium)\
`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N`

> **Note:** The National Vulnerability Database (NVD) assigns a higher score by considering **no privileges required (PR:N)**, which increases the overall severity.

### Mitigation

* **Permission cleanup:** Ensure that field-level permission entries are fully removed when fields are deleted.
* **Name reuse safeguards:** Prevent automatic inheritance of permissions when recreating fields with previously used names.
* **Administrative review:** Require explicit permission reassignment when creating new fields.
* **Security testing:** Add regression tests covering permission lifecycle events (create, delete, recreate).
* **Upgrade:** Update Directus to version **11.13.0** or later, where the issue is fixed.

### Discoverer

Beatriz Fresno Naumova (beafn28)

### References

* **CVE:** <https://www.cve.org/CVERecord?id=CVE-2025-64746>
* **GitHub Advisory:** <https://github.com/directus/directus/security/advisories/GHSA-9x5g-62gj-wqf2>
* **NIST:** <https://nvd.nist.gov/vuln/detail/CVE-2025-64746>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://beafn28.gitbook.io/beafn28/cve-and-poc/directus-less-than-11.13.0-improper-permission-handling-on-deleted-fields-cve-2025-64746.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.