Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/%40directus/api@32.0.0
purl pkg:npm/%40directus/api@32.0.0
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (2)
Vulnerability Summary Aliases
VCID-na3v-me78-aqcg Directus Vulnerable to Information Leakage in Existing Collections An observable difference in error messaging was found in the Directus REST API. The `/items/{collection}` API returns different error messages for these two cases: 1. A user tries to access an existing collection which they are not authorized to access. 2. A user tries to access a non-existing collection. The two differing error messages leak the existence of collections to users which are not authorized to access these collections. CVE-2025-64749
GHSA-cph6-524f-3hgr
VCID-nvha-b5tb-dqdt Directus's conceal fields are searchable if read permissions enabled A vulnerability allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data. CVE-2025-64748
GHSA-8jpw-gpr4-8cmh

Date Actor Action Vulnerability Source VulnerableCode Version
2026-05-30T21:04:46.101091+00:00 GitLab Importer Fixing VCID-na3v-me78-aqcg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@directus/api/CVE-2025-64749.yml 38.6.0
2026-05-30T21:04:45.419066+00:00 GitLab Importer Fixing VCID-nvha-b5tb-dqdt https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@directus/api/CVE-2025-64748.yml 38.6.0