CVE-2025-64749Observable Discrepancy in Directus

CWE-203Observable DiscrepancyCWE-209Information Exposure via Error Message3 documents3 sources
Severity
4.3MEDIUMNVD
EPSS
0.0%
top 88.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
DirectusMonospace DirectusDirectus API
Timeline
PublishedNov 13

Description

Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for two cases: when a user tries to access an existing collection which they are not authorized to access, and when user tries to access a non-existing collection. The two differing error messages leak the existence of collecti

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

npmdirectus/api< 32.0.0
CVEListV5directus/directus< 11.13.0
npmdirectus/directus< 11.13.0
NVDmonospace/directus< 11.13.0

Patches

Patch: github.com

🔴Vulnerability Details

2
GHSA
Directus Vulnerable to Information Leakage in Existing Collections2025-11-13
OSV
Directus Vulnerable to Information Leakage in Existing Collections2025-11-13