CVE-2025-64749: 
JavaScript vulnerability analysis and mitigation

Directus, a real-time API and App dashboard for managing SQL database content, was found to have an observable difference in error messaging vulnerability in versions prior to 11.13.0. The vulnerability was discovered and disclosed on November 13, 2025. The issue affects the Directus REST API's /items/{collection} endpoint, which returns different error messages when users attempt to access existing collections they're not authorized for versus non-existing collections (GitHub Advisory).

The vulnerability is tracked as CVE-2025-64749 with a CVSS v3.1 base score of 4.3 (Medium). The vulnerability is classified under CWE-203 (Observable Discrepancy) and CWE-209 (Generation of Error Message Containing Sensitive Information). The technical issue manifests when the API returns distinct error messages: one for unauthorized access to existing collections and another for non-existent collections, creating an observable difference that can be exploited (NVD).

The vulnerability allows unauthorized users to determine the existence of collections they don't have permission to access through the difference in error messages. This information disclosure could potentially be used by attackers to map out the system's collection structure, even without proper authorization (GitHub Advisory).

The vulnerability has been fixed in Directus version 11.13.0. Users are advised to upgrade to this version or later to address the information leakage issue. The fix involves unifying the error messages to prevent information disclosure through error message differences (GitHub Advisory).