Directus, Information Disclosure, CVE-2025-64748 (Medium)

Listen to this Post

The vulnerability arises when aggregate functions like `min` or `max` are applied to fields flagged with the `conceal` special type. Under normal circumstances, the Directus API replaces the real values of concealed fields (e.g., API tokens, TOTP seeds) with a masked placeholder (“). However, the logic that applies this masking does not account for the nested structure of aggregate query results. In an aggregate query, the operation (min or max) is nested under the function name, not a flat field key. Consequently, the masking routine skips these fields, returning their raw, sensitive values to the client. When combined with a `groupBy` parameter, an authenticated user with read access to the affected collection can systematically extract all concealed field values, including static API tokens and two-factor authentication secrets from the `directus_users` table[reference:0].

DailyCVE Form:

Platform: Directus
Version: < 11.13.0
Vulnerability: Aggregate information disclosure
Severity: Medium
Date: 2025-11-13

Prediction: Patch 2025-11-13

Analytics under heading What Undercode Say:

Enumerate users and extract concealed tokens using aggregate query
curl -X GET 'https://[directus-instance]/items/directus_users?aggregate[bash]=min&groupBy[]=id' -H 'Authorization: Bearer [bash]'
Extract all TOTP seeds
curl -X GET 'https://[directus-instance]/items/directus_users?aggregate[bash]=max&groupBy[]=id' -H 'Authorization: Bearer [bash]'
Use Python to automate enumeration
python3 -c "import requests; r = requests.get('https://[directus-instance]/items/directus_users?aggregate[bash]=min&groupBy[]=id', headers={'Authorization': 'Bearer [bash]'}); print(r.json())"

Exploit:

An attacker with any authenticated session can craft an API request to the `/items/directus_users` endpoint. By adding the `aggregate` parameter with a function like `min` or `max` on a concealed field (e.g., `token` or tfa_secret) and using `groupBy` on a known field (e.g., id), the API returns the raw values of those fields for all users. This bypasses the masking logic and directly exposes sensitive credentials.

Protection from this CVE:

Update Directus to version 11.13.0 or later. Revoke read permissions on the `directus_users` collection for any untrusted roles. Implement strict field-level access controls that explicitly deny access to concealed fields. Regularly audit user permissions and apply the principle of least privilege. Consider using a Web Application Firewall (WAF) to block requests containing the `aggregate` parameter combined with `groupBy` on sensitive collections.

Impact:

Full account takeover by harvesting static API tokens. Bypass of two-factor authentication by extracting TOTP seeds. Exposure of all user password hashes if the `password` field is also concealed. Complete compromise of the Directus instance and any connected applications.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top