Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-h9sb-tucg-b3fw
Vulnerability ID VCID-h9sb-tucg-b3fw
Aliases CVE-2025-64749
GHSA-cph6-524f-3hgr
Summary Directus Vulnerable to Information Leakage in Existing Collections An observable difference in error messaging was found in the Directus REST API. The `/items/{collection}` API returns different error messages for these two cases: 1. A user tries to access an existing collection which they are not authorized to access. 2. A user tries to access a non-existing collection. The two differing error messages leak the existence of collections to users which are not authorized to access these collections.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-203 Observable Discrepancy
CWE-209 Generation of Error Message Containing Sensitive Information
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00046 https://api.first.org/data/v1/epss?cve=CVE-2025-64749
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-cph6-524f-3hgr
cvssv3.1 4.3 https://github.com/directus/directus
generic_textual MODERATE https://github.com/directus/directus
cvssv3.1 4.3 https://github.com/directus/directus/commit/f99c9b89071f9d136cc9b0d0c182f2d24542bc31
generic_textual MODERATE https://github.com/directus/directus/commit/f99c9b89071f9d136cc9b0d0c182f2d24542bc31
ssvc Track https://github.com/directus/directus/commit/f99c9b89071f9d136cc9b0d0c182f2d24542bc31
cvssv3.1 4.3 https://github.com/directus/directus/security/advisories/GHSA-cph6-524f-3hgr
cvssv3.1_qr MODERATE https://github.com/directus/directus/security/advisories/GHSA-cph6-524f-3hgr
generic_textual MODERATE https://github.com/directus/directus/security/advisories/GHSA-cph6-524f-3hgr
ssvc Track https://github.com/directus/directus/security/advisories/GHSA-cph6-524f-3hgr
cvssv3.1 4.3 https://nvd.nist.gov/vuln/detail/CVE-2025-64749
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-64749
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2025-64749
https://github.com/directus/directus
https://github.com/directus/directus/commit/f99c9b89071f9d136cc9b0d0c182f2d24542bc31
CVE-2025-64749 https://nvd.nist.gov/vuln/detail/CVE-2025-64749
GHSA-cph6-524f-3hgr https://github.com/advisories/GHSA-cph6-524f-3hgr
GHSA-cph6-524f-3hgr https://github.com/directus/directus/security/advisories/GHSA-cph6-524f-3hgr
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/directus/directus
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/directus/directus/commit/f99c9b89071f9d136cc9b0d0c182f2d24542bc31
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-14T17:14:48Z/ Found at https://github.com/directus/directus/commit/f99c9b89071f9d136cc9b0d0c182f2d24542bc31
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/directus/directus/security/advisories/GHSA-cph6-524f-3hgr
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-14T17:14:48Z/ Found at https://github.com/directus/directus/security/advisories/GHSA-cph6-524f-3hgr
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-64749
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.14495
EPSS Score 0.00046
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:48:28.061135+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/directus/CVE-2025-64749.yml 38.6.0