CVE-2025-64748: Directus's conceal fields are searchable if read permissions enabled

November 13, 2025 (updated November 15, 2025)

A vulnerability allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (****), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data.

References

github.com/advisories/GHSA-8jpw-gpr4-8cmh
github.com/directus/directus
github.com/directus/directus/commit/7737d56e096f95edfbdf861a3c08999ad31ce204
github.com/directus/directus/security/advisories/GHSA-8jpw-gpr4-8cmh
nvd.nist.gov/vuln/detail/CVE-2025-64748

Code Behaviors & Features

Detect and mitigate CVE-2025-64748 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →