CVE-2025-59017
TYPO3 backend modules have Broken Access Control
EPSS 0.10%
Description
Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke AJAX backend routes without having access to the corresponding backend modules.
How to fix CVE-2025-59017
To remediate CVE-2025-59017, upgrade the affected package to a fixed version below.
- Packagist/typo3/cms-backend—upgrade to 12.4.37 or later
- Packagist/typo3/cms-beuser—upgrade to 13.4.18 or later
- —upgrade to 12.4.37 or later
- —upgrade to 12.4.37 or later
- —upgrade to 12.4.37 or later
Is CVE-2025-59017 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (5)
- >= 9.0.0, < 12.4.37
- >= 13.0.0, < 13.4.18
- >= 10.0.0, < 12.4.37
- >= 9.0.0, < 12.4.37
- >= 9.0.0, < 12.4.37
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |