CVE-2025-64749: 
JavaScript vulnerability analysis and mitigation

A vulnerability was discovered in Directus REST API (CVE-2025-64749) affecting versions below 11.13.0, disclosed on November 13, 2025. The vulnerability involves an information leakage issue where different error messages are returned when accessing existing versus non-existing collections, allowing unauthorized users to enumerate collection names (GitHub Advisory).

The vulnerability has a CVSS v3.1 score of 4.3 (Moderate) with a vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The issue stems from inconsistent error handling in the API endpoint /items/{collection}, where different error messages are returned for unauthorized access to existing collections versus non-existent collections. This vulnerability is classified under CWE-203 (Observable Discrepancy) and CWE-209 (Generation of Error Message Containing Sensitive Information) (GitHub Advisory, Miggo).

The vulnerability allows unauthorized users to determine the existence of collections within the Directus instance through error message differentiation, potentially exposing sensitive information about the system's structure (GitHub Advisory).

The vulnerability has been patched in Directus version 11.13.0. The fix implements consistent error messaging through a centralized function called createCollectionForbiddenError, which generates the same error response regardless of whether the collection exists or the user lacks permission (GitHub Commit).