CVE-2025-64746

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table remains intact. This stale reference creates a security gap: if another field is later created using the same name, it inherits the outdated permission entry. This behavior can unintentionally grant roles access to data they should not be able to read or modify. The issue is particularly risky in multi-tenant or production environments, where administrators may reuse field names, assuming old permissions have been fully cleared. Version 11.13.0 fixes the issue.

PUBLISHED Reserved 2025-11-10 | Published 2025-11-13 | Updated 2025-11-13 | Assigner GitHub_M

Problem types

CWE-284: Improper Access Control

CWE-863: Incorrect Authorization

Product status

References

github.com/...rectus/security/advisories/GHSA-9x5g-62gj-wqf2

github.com/...ommit/84d7636969083387164ce5d2fd15a65e11e2d0b8

cve.org (CVE-2025-64746)

nvd.nist.gov (CVE-2025-64746)

Download JSON