GHSA-CPH6-524F-3HGR

Vulnerability from github – Published: 2025-11-13 23:07 – Updated: 2025-11-15 03:15
VLAI?
Summary
Directus Vulnerable to Information Leakage in Existing Collections
Details

Summary:

An observable difference in error messaging was found in the Directus REST API. The /items/{collection} API returns different error messages for these two cases: 1. A user tries to access an existing collection which they are not authorized to access. 2. A user tries to access a non-existing collection.

The two differing error messages leak the existence of collections to users which are not authorized to access these collections.

Details:

The following response returns an error message, when requesting a collection the user is not authorized to access.

GET /items/no-access
{
  "errors": [
    {
      "message": "You don't have permission to access collection \"no-access\" or it does not exist. Queried in root.",
      "extensions": {
        "reason": "You don't have permission to access collection \"no-access\" or it does not exist. Queried in root.",
        "code": "FORBIDDEN"
      }
    }
  ]
}

The following response returns a different error message when requesting a collection which does not exist.

GET /items/does-not-exist
{
  "errors": [
    {
      "message": "You don't have permission to access this.",
      "extensions": {
        "code": "FORBIDDEN"
      }
    }
  ]
}

Impact:

The difference in errors between non-existent collections and collections blocked by permissions leak the existence of a collection to a user which is not authorized to access this object.

Credit:

Sebastian Krause - Hackmanit GmbH

Severity ?
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "directus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@directus/api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "32.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64749"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-209"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-13T23:07:31Z",
    "nvd_published_at": "2025-11-13T22:15:52Z",
    "severity": "MODERATE"
  },
  "details": "### Summary:\n\nAn observable difference in error messaging was found in the Directus REST API. The `/items/{collection}` API returns different error messages for these two cases:\n1. A user tries to access an existing collection which they are not authorized to access.\n2. A user tries to access a non-existing collection.\n\nThe two differing error messages leak the existence of collections to users which are not authorized to access these collections.\n\n### Details:\n\nThe following response returns an error message, when requesting a collection the user is not authorized to access.\n\n```\nGET /items/no-access\n{\n  \"errors\": [\n    {\n      \"message\": \"You don\u0027t have permission to access collection \\\"no-access\\\" or it does not exist. Queried in root.\",\n      \"extensions\": {\n        \"reason\": \"You don\u0027t have permission to access collection \\\"no-access\\\" or it does not exist. Queried in root.\",\n        \"code\": \"FORBIDDEN\"\n      }\n    }\n  ]\n}\n```\n\nThe following response returns a different error message when requesting a collection which does not exist.\n\n```\nGET /items/does-not-exist\n{\n  \"errors\": [\n    {\n      \"message\": \"You don\u0027t have permission to access this.\",\n      \"extensions\": {\n        \"code\": \"FORBIDDEN\"\n      }\n    }\n  ]\n}\n```\n\n### Impact:\n\nThe difference in errors between non-existent collections and collections blocked by permissions leak the existence of a collection to a user which is not authorized to access this object.\n\n### Credit:\n\nSebastian Krause - [Hackmanit GmbH](https://hackmanit.de)",
  "id": "GHSA-cph6-524f-3hgr",
  "modified": "2025-11-15T03:15:40Z",
  "published": "2025-11-13T23:07:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/security/advisories/GHSA-cph6-524f-3hgr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64749"
    },
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/commit/f99c9b89071f9d136cc9b0d0c182f2d24542bc31"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/directus/directus"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Directus Vulnerable to Information Leakage in Existing Collections"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.