CVE-2025-59022
📋 TL;DR
This vulnerability allows backend users with access to the recycler module to delete arbitrary data from any database table defined in TYPO3's TCA, regardless of permissions. Attackers can purge critical site data, potentially rendering websites unavailable. It affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22, and 14.0.0-14.0.1.
💻 Affected Systems
- TYPO3 CMS
📦 What is this software?
Typo3 by Typo3
Typo3 by Typo3
Typo3 by Typo3
Typo3 by Typo3
Typo3 by Typo3
⚠️ Risk & Real-World Impact
Worst Case
Complete destruction of all database content, including user data, content, and configuration, leading to permanent data loss and website unavailability.
Likely Case
Targeted deletion of critical tables (e.g., user accounts, content pages) causing service disruption and data corruption.
If Mitigated
Limited impact if strict access controls limit backend user accounts and recycler module access is restricted to trusted administrators only.
🎯 Exploit Status
Exploitation requires backend user credentials with recycler module access. The vulnerability is simple to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: TYPO3 v10.4.55, v11.5.49, v12.4.41, v13.4.23, v14.0.2
Vendor Advisory: https://typo3.org/security/advisory/typo3-core-sa-2026-003
Restart Required: No
Instructions:
1. Identify your TYPO3 version. 2. Update to the patched version using Composer: composer require typo3/cms-core:~10.4.55 (adjust version accordingly). 3. Clear caches via the TYPO3 backend or command line: typo3 cache:flush. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable Recycler Module
allRemove access to the recycler module for all backend users to prevent exploitation.
In TYPO3 backend, go to Admin Tools > User Settings > Modules and uncheck 'Recycler' for all user groups.
Restrict Backend User Access
allLimit backend user accounts to only essential administrators and review permissions.
Review and remove unnecessary backend user accounts via TYPO3 backend User Admin module.
🧯 If You Can't Patch
- Immediately disable the recycler module for all backend users via TYPO3 backend settings.
- Implement strict network access controls to limit TYPO3 backend access to trusted IP addresses only.
🔍 How to Verify
Check if Vulnerable:
Check your TYPO3 version in the backend under 'Help' > 'About TYPO3' or via command line: php typo3/sysext/core/bin/typo3 --version.Check Version:
php typo3/sysext/core/bin/typo3 --versionVerify Fix Applied:
After updating, verify the version matches the patched version and test recycler module functionality with a non-admin user to ensure proper permission checks.📡 Detection & Monitoring
Log Indicators:
- Unusual DELETE queries in database logs from recycler module actions
- Multiple 'recycler' module access logs from non-admin users
- Error logs indicating missing data or table corruption
Network Indicators:
- Increased backend traffic to recycler-related endpoints (e.g., /typo3/module/web/recycler)
SIEM Query:
source="typo3_logs" AND (message="*recycler*" AND message="*delete*")