Possible Arbitrary Code Execution in CommandUtility API

Categories: Development
It has been discovered that TYPO3 CMS can be vulnerable to arbitrary code execution.
  • Release Date: January 22, 2019
  • Component Type: CommandUtility API (ext:core)
  • Impact: Possible Arbitrary Code Execution
  • Type: Advisory

Problem Description

It has been discovered that TYPO3 core API CommandUtility::checkCommand() can be vulnerable to arbitrary code execution. Albeit no insecure usage inside the TYPO3 core system could be identified it might be possible that third party extensions are making use of the mentioned API in combination with user-submitted data. Until now it is unproven that there is an existing exploit.


Update to TYPO3 versions 8.7.23 or 9.5.4 that fix the problem described. In order to evaluate whether third party extensions open a potential attack vector, usages of CommandUtility::checkCommand(), CommandUtility::getCommand() and the registration of custom services ($GLOBALS['T3_SERVICES') concerning their 'exec' argument have to be checked.

In general, arbitrary data that shall be used in system commands must be escaped accordingly by invoking PHP’s escape-shell functions:

TYPO3’s API function CommandUtility::escapeShellArgument() should be invoked when having to deal with file names containing special characters on unicode-aware file-systems - internally it is wrapping PHP’s escapeshellarg() function.



Thanks to TYPO3 core team member Frank Nägler who reported this issue and to TYPO3 core team member Oliver Hader who addressed the issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.