- Component Type: TYPO3 CMS
- Subcomponent: File Abstraction Layer (ext:core)
- Release Date: September 9, 2025
- Vulnerability Type: Information Disclosure
- Affected Versions: 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, 13.0.0-13.4.17
- Severity: Medium
- Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
- References: CVE-2025-59016, CWE-209
Problem Description
When specific low‑level file‑system operations fail during execution through the File Abstraction Layer, the full path of the affected resource is disclosed. Exploiting this vulnerability requires a valid backend user account.
Solution
Update to TYPO3 versions 9.5.55 ELTS, 10.4.54 ELTS, 11.5.48 ELTS, 12.4.37 LTS, 13.4.18 LTS that fix the problem described.
Credits
Thanks to Dmitry Petschke and Marc Willmann for reporting this issue, and to TYPO3 core team member Andreas Kienast for fixing it.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
General Note
All security-related code changes are tagged so you can easily look them up in our review system.