CVE-2025-64748: 
JavaScript vulnerability analysis and mitigation

Directus, a real-time API and App dashboard for managing SQL database content, contains a vulnerability (CVE-2025-64748) in versions prior to 11.13.0 that allows authenticated users to search concealed/sensitive fields when they have read permissions. The vulnerability was discovered and disclosed on November 13, 2025, affecting all Directus installations before version 11.13.0 (GitHub Advisory).

The vulnerability stems from a design flaw where the system permits search operations on concealed fields, including sensitive data such as tokens, tfa_secret, and password fields. While the actual values remain masked (****), successful matches can be detected through returned records. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network vector access, low attack complexity, and high confidentiality impact (GitHub Advisory).

The vulnerability enables several attack vectors: token enumeration for verifying valid authentication tokens, password hash matching for identifying accounts with compromised passwords, and information disclosure through confirmation of sensitive value existence. The risk is particularly significant for password fields, where attackers can cross-reference publicly available hash databases to identify vulnerable accounts. The 'Recommended Defaults' for 'App Access' grant users full read permissions to their role/user records, making all deployments using recommended settings automatically exposed (GitHub Advisory).

The vulnerability has been fixed in Directus version 11.13.0. The fix involves preventing search operations on fields marked with the 'conceal' special flag, regardless of user permissions. Organizations should upgrade to version 11.13.0 or later to protect against this vulnerability (GitHub Commit).