{"id":"CVE-2025-30352","summary":"Directus `search` query parameter allows enumeration of non permitted fields","details":"Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0-alpha.4 and prior to version 11.5.0, the `search` query parameter allows users with access to a collection to filter items based on fields they do not have permission to view. This allows the enumeration of unknown field contents. The searchable columns (numbers & strings) are not checked against permissions when injecting the `where` clauses for applying the search query. This leads to the possibility of enumerating those un-permitted fields. Version 11.5.0 fixes the issue.","aliases":["GHSA-7wq3-jr35-275c"],"modified":"2026-04-15T04:49:10.173369Z","published":"2025-03-26T17:18:39.567Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-200"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/30xxx/CVE-2025-30352.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/30xxx/CVE-2025-30352.json"},{"type":"ADVISORY","url":"https://github.com/directus/directus/security/advisories/GHSA-7wq3-jr35-275c"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30352"},{"type":"FIX","url":"https://github.com/directus/directus/commit/ac5a9964d9926f20dc063a74cb417dc7bbad676d"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/directus/directus","events":[{"introduced":"ba72d2cfd040f7f0db282ccac006f36df6f05058"},{"fixed":"f854746ef0a28c1208d51ab36386e3b353fd721d"},{"fixed":"ac5a9964d9926f20dc063a74cb417dc7bbad676d"}],"database_specific":{"versions":[{"introduced":"9.0.1"},{"fixed":"11.5.0"}]}}],"versions":["10.11.2","v10.0.0","v10.1.0","v10.1.1","v10.10.0","v10.10.1","v10.10.2","v10.10.3","v10.10.4","v10.10.5","v10.10.6","v10.10.7","v10.11.0","v10.11.1","v10.11.2","v10.12.1","v10.13.0","v10.13.1","v10.13.2","v10.2.0","v10.2.1","v10.3.0","v10.4.0","v10.4.2","v10.4.3","v10.5.0","v10.5.1","v10.5.2","v10.5.3","v10.6.0","v10.6.1","v10.6.2","v10.6.3","v10.6.4","v10.7.0","v10.7.1","v10.7.2","v10.8.0","v10.8.1","v10.8.2","v10.8.3","v10.9.0","v10.9.1","v10.9.2","v10.9.3","v11.0.0","v11.0.1","v11.0.2","v11.1.0","v11.1.1","v11.1.2","v11.2.0","v11.2.1","v11.2.2","v11.3.0","v11.3.1","v11.3.2","v11.3.3","v11.3.4","v11.3.5","v11.4.0","v11.4.1","v9.0.1","v9.1.0","v9.1.1","v9.1.2","v9.10.0","v9.11.0","v9.11.1","v9.12.0","v9.12.1","v9.12.2","v9.13.0","v9.14.1","v9.14.2","v9.14.3","v9.14.4","v9.14.5","v9.15.0","v9.15.1","v9.16.0","v9.16.1","v9.17.0","v9.17.1","v9.17.2","v9.17.3","v9.17.4","v9.18.0","v9.18.1","v9.19.0","v9.19.1","v9.19.2","v9.2.0","v9.2.1","v9.2.2","v9.20.0","v9.20.1","v9.20.2","v9.20.3","v9.20.4","v9.21.0","v9.21.1","v9.21.2","v9.22.0","v9.22.1","v9.22.2","v9.22.3","v9.22.4","v9.23.0","v9.23.1","v9.23.2","v9.23.3","v9.23.4","v9.24.0","v9.25.0","v9.25.1","v9.25.2","v9.26.0","v9.3.0","v9.4.0","v9.4.1","v9.4.2","v9.4.3","v9.5.0","v9.5.1","v9.5.2","v9.6.0","v9.7.0","v9.7.1","v9.8.0","v9.9.0","v9.9.1"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha10"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha11"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha12"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha13"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha14"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha15"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha16"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha17"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha18"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha19"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha20"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha21"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha22"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha23"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha24"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha25"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha26"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha27"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha31"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha32"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha33"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha34"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha35"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha36"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha37"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha38"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha39"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha4"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha40"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha41"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha42"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha5"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha6"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha7"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha8"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha9"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-beta0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-beta1"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-beta10"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-beta11"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-beta12"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-beta13"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-beta14"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-beta2"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-beta3"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-beta4"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-beta5"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-beta7"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-beta8"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-beta9"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc1"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc10"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc100"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc101"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc11"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc12"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc13"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc14"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc15"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc17"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc18"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc19"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc2"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc20"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc21"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc22"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc23"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc24"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc25"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc26"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc27"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc28"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc29"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc3"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc30"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc31"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc32"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc33"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc34"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc35"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc36"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc37"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc38"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc39"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc4"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc40"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc41"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc42"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc43"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc44"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc45"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc46"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc47"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc48"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc49"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc5"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc50"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc51"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc52"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc53"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc54"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc55"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc56"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc57"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc58"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc59"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc6"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc60"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc61"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc62"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc63"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc64"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc65"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc66"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc67"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc68"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc69"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc7"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc70"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc71"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc72"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc73"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc74"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc75"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc76"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc77"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc78"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc79"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc8"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc80"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc81"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc82"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc83"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc84"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc85"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc86"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc87"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc88"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc89"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc9"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc90"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc91"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc92"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc93"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc94"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc95"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc96"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc97"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc98"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc99"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-30352.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}