CVE-2025-64748: 
JavaScript vulnerability analysis and mitigation

A vulnerability in Directus, a real-time API and App dashboard for managing SQL database content, allows authenticated users to search concealed/sensitive fields when they have read permissions. The vulnerability, identified as CVE-2025-64748, affects versions prior to 11.13.0 and was disclosed on November 13, 2025 (GitHub Advisory).

The vulnerability enables search operations on concealed fields in the directus_users collection, including sensitive data such as tokens, tfa_secret, and password fields. While the actual values remain masked (****), successful matches can be detected through returned records. The vulnerability has been assigned a CVSS v3.1 score of 6.5 (Moderate), with the following base metrics: Network attack vector, Low attack complexity, Low privileges required, No user interaction, Unchanged scope, High confidentiality impact, and No impact on integrity or availability (GitHub Advisory).

The vulnerability can lead to token enumeration, password hash matching for identifying accounts with compromised passwords, and information disclosure through confirmation of sensitive value existence. The risk is particularly significant for password fields, where attackers can cross-reference publicly available hash databases to identify vulnerable accounts. The 'Recommended Defaults' for 'App Access' grant users full read permissions to their role/user records, making all deployments using recommended settings potentially vulnerable (GitHub Advisory).

The vulnerability has been patched in Directus version 11.13.0. Users should upgrade to this version or later to address the security issue. The fix involves modifying the search functionality to prevent searching on fields marked with the 'conceal' special flag (GitHub Commit).