CVE-2025-30352 — Sensitive Information Exposure in Directus

CWE-200 — Sensitive Information Exposure3 documents3 sources

Severity

5.3MEDIUMNVD

EPSS

0.1%

top 71.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Monospace Directus Directus

Timeline

PublishedMar 26

Description

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0-alpha.4 and prior to version 11.5.0, the `search` query parameter allows users with access to a collection to filter items based on fields they do not have permission to view. This allows the enumeration of unknown field contents. The searchable columns (numbers & strings) are not checked against permissions when injecting the `where` clauses for applying the search query. This leads to the…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶npmdirectus/directus9.0.0-alpha.4 — 11.5.0

▶NVDmonospace/directus9.0.1 — 11.5.0+1

▶CVEListV5directus/directus>= 9.0.0-alpha.4, < 11.5.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

Directus `search` query parameter allows enumeration of non permitted fields↗2025-03-26

▶

GHSA

Directus `search` query parameter allows enumeration of non permitted fields↗2025-03-26

▶