Directus < 11.13.0 – Improper Permission Handling on Deleted Fields (CVE-2025-64746)

Author: Beatriz Fresno Naumova (beafn28)

Date: 13/11/2025

Vendor: Directus

Product: Directus

Versions affected: < 11.13.0

Component: Field-level permissions handling (collections / permissions table) CWE:

  • CWE-284 – Improper Access Control

  • CWE-863 – Incorrect Authorization

Attack type: Remote

Impact: Unauthorized Access / Information Disclosure

Description

Directus versions prior to 11.13.0 do not properly clean up field-level permissions when a field is deleted from a collection. When a field is removed, its corresponding entry in the permissions table remains intact. If a new field is later created using the same name, Directus automatically re-applies the stale permission entry to the new field.

This behavior can unintentionally grant roles access to data they should not be authorized to read or modify, resulting in improper access control.

Impact

Primary impact: Unauthorized access to newly created fields due to inherited permissions.

Consequences:

  • Accidental exposure of sensitive data

  • Unauthorized read or modification of fields

  • Increased risk in multi-tenant or production environments

  • Security policy violations caused by permission reuse

Attack Details

Proof of Concept (Logical Steps)

  1. Create a collection named test_collection.

  2. Add a field named secret_field.

  3. Assign a role with read permissions specifically for secret_field.

  4. Delete the secret_field from the collection.

  5. Create a new field with the same name: secret_field.

  6. Observe that the previously assigned permissions are automatically applied to the new field without reconfiguration.

CVSS Details

  • Attack Vector (AV): Network (N)

  • Attack Complexity (AC): Low (L)

  • Privileges Required (PR): Low (L)

  • User Interaction (UI): Required (R)

  • Scope (S): Unchanged (U)

  • Confidentiality (C): Low (L)

  • Integrity (I): Low (L)

  • Availability (A): None (N)

CNA CVSS v3.1 Vector (GitHub): CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CNA CVSS v3.1 Base Score: 4.6 (Medium)

NVD CVSS v3.1 Base Score: 5.4 (Medium) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Note: The National Vulnerability Database (NVD) assigns a higher score by considering no privileges required (PR:N), which increases the overall severity.

Mitigation

  • Permission cleanup: Ensure that field-level permission entries are fully removed when fields are deleted.

  • Name reuse safeguards: Prevent automatic inheritance of permissions when recreating fields with previously used names.

  • Administrative review: Require explicit permission reassignment when creating new fields.

  • Security testing: Add regression tests covering permission lifecycle events (create, delete, recreate).

  • Upgrade: Update Directus to version 11.13.0 or later, where the issue is fixed.

Discoverer

Beatriz Fresno Naumova (beafn28)

References

PreviousWordPress Upload.am – Contributor+ Arbitrary Option Disclosure (CVE-2025-12630)NextnopCommerce <= 4.70 and 4.80.3 – Insufficient Session Cookie Invalidation (CVE-2025-11699)

Last updated

Was this helpful?