Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-j9tx-h9v5-w7am
Vulnerability ID VCID-j9tx-h9v5-w7am
Aliases CVE-2025-64748
GHSA-8jpw-gpr4-8cmh
Summary Directus's conceal fields are searchable if read permissions enabled A vulnerability allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-201 Insertion of Sensitive Information Into Sent Data
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00044 https://api.first.org/data/v1/epss?cve=CVE-2025-64748
epss 0.00044 https://api.first.org/data/v1/epss?cve=CVE-2025-64748
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-8jpw-gpr4-8cmh
cvssv3.1 6.5 https://github.com/directus/directus
generic_textual MODERATE https://github.com/directus/directus
cvssv3.1 6.5 https://github.com/directus/directus/commit/7737d56e096f95edfbdf861a3c08999ad31ce204
generic_textual MODERATE https://github.com/directus/directus/commit/7737d56e096f95edfbdf861a3c08999ad31ce204
ssvc Track https://github.com/directus/directus/commit/7737d56e096f95edfbdf861a3c08999ad31ce204
cvssv3.1 6.5 https://github.com/directus/directus/security/advisories/GHSA-8jpw-gpr4-8cmh
cvssv3.1_qr MODERATE https://github.com/directus/directus/security/advisories/GHSA-8jpw-gpr4-8cmh
generic_textual MODERATE https://github.com/directus/directus/security/advisories/GHSA-8jpw-gpr4-8cmh
ssvc Track https://github.com/directus/directus/security/advisories/GHSA-8jpw-gpr4-8cmh
cvssv3.1 6.5 https://nvd.nist.gov/vuln/detail/CVE-2025-64748
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-64748
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2025-64748
https://github.com/directus/directus
https://github.com/directus/directus/commit/7737d56e096f95edfbdf861a3c08999ad31ce204
CVE-2025-64748 https://nvd.nist.gov/vuln/detail/CVE-2025-64748
GHSA-8jpw-gpr4-8cmh https://github.com/advisories/GHSA-8jpw-gpr4-8cmh
GHSA-8jpw-gpr4-8cmh https://github.com/directus/directus/security/advisories/GHSA-8jpw-gpr4-8cmh
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/directus/directus
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/directus/directus/commit/7737d56e096f95edfbdf861a3c08999ad31ce204
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-13T21:39:19Z/ Found at https://github.com/directus/directus/commit/7737d56e096f95edfbdf861a3c08999ad31ce204
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/directus/directus/security/advisories/GHSA-8jpw-gpr4-8cmh
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-13T21:39:19Z/ Found at https://github.com/directus/directus/security/advisories/GHSA-8jpw-gpr4-8cmh
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-64748
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.13858
EPSS Score 0.00044
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:48:27.493842+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@directus/api/CVE-2025-64748.yml 38.6.0