CVE-2025-47937

Description

### Problem When performing a database query involving multiple tables through the database abstraction layer (DBAL), frontend user permissions are only applied via `FrontendGroupRestriction` to the last table. As a result, data from additional tables included in the same query may be unintentionally exposed to unauthorized users. ### Solution Update to TYPO3 versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, 13.4.12 LTS that fix the problem described. ### Credits Thanks to Christian Futterlieb for reporting this issue, and to TYPO3 security team member Elias Häußler for fixing it.

How to fix CVE-2025-47937

To remediate CVE-2025-47937, upgrade the affected package to a fixed version below.

• —upgrade to 9.5.51 or later

Is CVE-2025-47937 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 9.0.0, < 9.5.51

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-47937
• PATCHgithub.com/TYPO3-CMS/core
• WEBgithub.com/TYPO3/typo3/security/advisories/GHSA-x8pv-fgxp-8v3x
• WEBtypo3.org/security/advisory/typo3-core-sa-2025-011