CVE-2025-64746: 
JavaScript vulnerability analysis and mitigation

Directus contains a vulnerability (CVE-2025-64746) related to improper permission handling on deleted fields. The issue was discovered and disclosed on November 13, 2025, affecting Directus versions prior to 11.13.0. The vulnerability occurs when field-level permissions are not properly cleaned up after a field is deleted, potentially leading to unauthorized access when new fields are created with the same name (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 4.6 (Moderate) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N. The issue stems from incomplete deletion of field-related data in the permissions table. When a field is deleted, its reference remains in the directus_permissions table, creating a security gap. The vulnerability is tracked as CWE-284 (Improper Access Control) and CWE-863 (Incorrect Authorization) (GitHub Advisory).

When a new field is created with the same name as a previously deleted field, it automatically inherits the old permissions from the stale reference. This inheritance can unintentionally grant roles access to data they should not be able to read or modify. The impact is particularly significant in multi-tenant or production environments where administrators may reuse field names, assuming old permissions have been fully cleared (GitHub Advisory).

The vulnerability has been patched in Directus version 11.13.0. The fix includes modifications to the FieldsService class to properly clean up permissions when fields are deleted. The patch adds new logic that queries the directus_permissions table for any permissions applying to the deleted field and removes the field from the fields list in those permission rules (GitHub Commit).