CVE-2025-59013
📋 TL;DR
An open-redirect vulnerability in TYPO3 CMS's GeneralUtility::sanitizeLocalUrl function allows attackers to redirect users to malicious external websites by supplying manipulated URLs. This enables phishing attacks where users are tricked into visiting fraudulent sites. Affected are TYPO3 CMS versions 9.0.0 through 13.4.17.
💻 Affected Systems
- TYPO3 CMS
📦 What is this software?
Typo3 by Typo3
Typo3 by Typo3
Typo3 by Typo3
Typo3 by Typo3
Typo3 by Typo3
⚠️ Risk & Real-World Impact
Worst Case
Users are redirected to convincing phishing sites that steal credentials, financial information, or deliver malware, leading to account compromise, data theft, or ransomware infection.
Likely Case
Attackers create convincing phishing campaigns using legitimate TYPO3 site URLs to redirect victims to credential harvesting pages or malicious downloads.
If Mitigated
With proper web application firewalls and user education about phishing, impact is limited to some user confusion and potential minor credential exposure.
🎯 Exploit Status
Exploitation requires the attacker to craft a specific URL that bypasses the sanitization logic. No authentication is required to trigger the redirect once the malicious URL is accessed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: TYPO3 v9 LTS: 9.5.55, v10 LTS: 10.4.54, v11 LTS: 11.5.48, v12 LTS: 12.4.37, v13 LTS: 13.4.18
Vendor Advisory: https://typo3.org/security/advisory/typo3-core-sa-2025-017
Restart Required: No
Instructions:
1. Backup your TYPO3 installation and database. 2. Update TYPO3 core to the patched version via Composer (composer update typo3/cms-core) or TYPO3 Extension Manager. 3. Clear all caches in the TYPO3 backend. 4. Test functionality.
🔧 Temporary Workarounds
Input Validation Filter
allImplement custom input validation to reject URLs containing external domains in parameters that use GeneralUtility::sanitizeLocalUrl.
Web Application Firewall Rule
allConfigure WAF to block requests with suspicious redirect parameters or external URLs in specific query parameters.
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) with frame-ancestors and connect-src directives to limit redirect targets.
- Deploy network-level filtering to block outbound connections to known malicious domains from your TYPO3 servers.
🔍 How to Verify
Check if Vulnerable:
Check TYPO3 version in backend under 'Admin Tools > System > Environment' or via composer show typo3/cms-core.Check Version:
composer show typo3/cms-core | grep versionsVerify Fix Applied:
After update, verify version matches patched version and test that crafted URLs with external domains no longer redirect.📡 Detection & Monitoring
Log Indicators:
- Unusual redirect patterns in web server logs (302/301 responses to external domains)
- Requests with suspicious URL parameters containing 'http://' or 'https://' followed by external domains
Network Indicators:
- Outbound HTTP/HTTPS connections from TYPO3 server to unexpected external domains following user visits
SIEM Query:
web_access_logs status_code IN (301,302) AND url CONTAINS 'redirect' AND dest_host NOT IN (allowed_domains)