Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN798
_____________________________________________________________________

DATE                : 14/11/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Directus versions prior
                                to 11.13.0.

=====================================================================
https://github.com/directus/directus/security/advisories/GHSA-8jpw-gpr4-8cmh
https://github.com/directus/directus/security/advisories/GHSA-9x5g-62gj-wqf2
_____________________________________________________________________


Conceal fields are searchable if read permissions enabled
Moderate
br41nslug published GHSA-8jpw-gpr4-8cmh Nov 13, 2025

Package
directus (npm)

Affected versions
< 11.13.0

Patched versions
11.13.0


Description

Summary

A vulnerability allows authenticated users to search concealed/sensitive
fields when they have read permissions. While actual values remain
masked (****), successful matches can be detected through returned
records, enabling enumeration attacks on sensitive data.


Details

The system permits search operations on concealed fields in the
directus_users collection, including token, tfa_secret, password.
Matching records are returned with masked values, but their
presence confirms the searched value exists.

The "Recommended Defaults" for "App Access" grant users full read
permissions to their role/user records, inadvertently enabling them
to search for any user's tokens, TFA secrets, and password hashes.
Attackers can leverage known password hashes from breach databases
to identify accounts with compromised passwords.


Impact

This vulnerability enables:

    Token enumeration - Verification of valid authentication tokens
    Password hash matching - Identification of accounts using known
compromised passwords
    Information disclosure - Confirmation of sensitive value
existence without viewing actual data
    Increased attack surface - Default permissions automatically
expose all deployments using recommended settings

The risk is particularly high for password fields, where attackers
can cross-reference publicly available hash databases to identify
vulnerable accounts.


Severity
Moderate
6.5/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE ID
CVE-2025-64748

Weaknesses
No CWEs


Credits

    @bryantgillespie bryantgillespie Reporter


_____________________________________________________________________

Improper Permission Handling on Deleted Fields in Directus
Moderate
br41nslug published GHSA-9x5g-62gj-wqf2 Nov 13, 2025

Package
directus (npm)

Affected versions
< 11.13.0

Patched versions
11.13.0


Description

Summary

Directus does not properly clean up field-level permissions when a
field is deleted. If a new field with the same name is created later,
the system automatically re-applies the old permissions, which can
lead to unauthorized access.


Details

When a field is removed from a collection, its reference in the
permissions table remains intact. This stale reference creates a
security gap: if another field is later created using the same name,
it inherits the outdated permission entry.

This behavior can unintentionally grant roles access to data they
should not be able to read or modify.

The issue is particularly risky in multi-tenant or production
environments, where administrators may reuse field names, assuming
old permissions have been fully cleared.

1.	Create a collection named test_collection.
2.	Add a field called secret_field.
3.	Assign a role with read permissions specifically tied to
secret_field.
4.	Remove the secret_field from the collection.
5.	Create a new field with the exact same name secret_field.
6.	Notice that the previously assigned permissions are still
active, granting access to the newly created field without
reconfiguration.


Impact

When creating new fields with the same name as previously deleted
fields it may inherit the permissions of that previously deleted
field. This can potentially result in accidentally giving access to
this new field in existing policies.


Severity
Moderate
4.6/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CVE ID
CVE-2025-64746

Weaknesses
Weakness CWE-284
Weakness CWE-863


Credits

    @beafn28 beafn28 Reporter


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================