CVE-2025-59021
📋 TL;DR
This CVE describes an authorization bypass vulnerability in TYPO3 CMS where backend users with redirect module access and write permissions could manipulate any redirect record without proper mount restrictions. This allows attackers to create or modify redirects pointing to malicious URLs, enabling phishing or other redirect-based attacks. Affected versions include TYPO3 CMS 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22, and 14.0.0-14.0.1.
💻 Affected Systems
- TYPO3 CMS
📦 What is this software?
Typo3 by Typo3
Typo3 by Typo3
Typo3 by Typo3
Typo3 by Typo3
Typo3 by Typo3
⚠️ Risk & Real-World Impact
Worst Case
Attackers with backend access could redirect legitimate website traffic to phishing sites, malware distribution points, or credential harvesting pages, potentially compromising all site visitors.
Likely Case
Malicious redirects inserted by compromised or rogue backend users lead to phishing campaigns targeting website visitors, damaging brand reputation and user trust.
If Mitigated
With proper access controls and monitoring, impact is limited to redirect manipulation within authorized user scopes, preventing widespread malicious redirects.
🎯 Exploit Status
Exploitation requires authenticated backend access with specific permissions. The vulnerability is straightforward to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: TYPO3 v10.4.55, v11.5.49, v12.4.41, v13.4.23, v14.0.2
Vendor Advisory: https://typo3.org/security/advisory/typo3-core-sa-2026-002
Restart Required: No
Instructions:
1. Identify your TYPO3 version. 2. Update to the patched version using Composer: composer require typo3/cms-core:~10.4.55 (adjust version). 3. Clear caches via Install Tool. 4. Verify update completed successfully.
🔧 Temporary Workarounds
Restrict redirect module access
allTemporarily remove redirect module permissions from backend users who don't absolutely need them.
Navigate to Admin Tools > Access > Backend Users > Edit user > Modules > Uncheck 'Redirects'
Implement redirect validation
allAdd custom validation to ensure redirects only point to allowed domains or internal paths.
Implement custom TYPO3 extension with hook in DataHandler to validate redirect URLs
🧯 If You Can't Patch
- Restrict backend user permissions to minimum required, especially for redirect module access.
- Implement web application firewall rules to detect and block suspicious redirect patterns.
🔍 How to Verify
Check if Vulnerable:
Check TYPO3 version in Install Tool or via composer show typo3/cms-core. If version falls within affected ranges, system is vulnerable.Check Version:
composer show typo3/cms-core | grep versionsVerify Fix Applied:
After update, verify version shows patched version (e.g., 10.4.55 or higher). Test redirect creation with limited user to ensure mount restrictions work.📡 Detection & Monitoring
Log Indicators:
- Unusual redirect creation/modification patterns
- Backend user activity from unexpected IPs or times
- sys_log entries showing redirect table modifications
Network Indicators:
- HTTP 301/302 redirects to external domains not in allowlist
- Redirect chains pointing to suspicious domains
SIEM Query:
source="typo3" AND (event="redirect_created" OR event="redirect_modified") AND user NOT IN [authorized_users]