CVE-2025-64748: Directus Missing Oauth Scope Validation
A request handler verifies user, role, or admin accountability but fails to enforce OAuth-specific restrictions (e.g., token scope, audience, or transport). If OAuth tokens are accepted by the system, attackers can supply a valid OAuth token intended for other purposes to access this endpoint. Enforce OAuth restrictions by verifying properties under `req.acc
TSgreprules fetch cve-2025-64748-directus-missing-oauth-scope-validation --engine opengrepDescription
A request handler verifies user, role, or admin accountability but fails to enforce OAuth-specific restrictions (e.g., token scope, audience, or transport). If OAuth tokens are accepted by the system, attackers can supply a valid OAuth token intended for other purposes to access this endpoint. Enforce OAuth restrictions by verifying properties under `req.acc
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0