TYPO3-CORE-SA-2025-020: Information Disclosure via File Abstraction Layer

Categories: Development, TYPO3 CMS Created by Oliver Hader
It has been discovered that TYPO3 CMS is susceptible to information disclosure.


Problem Description

When specific low‑level file‑system operations fail during execution through the File Abstraction Layer, the full path of the affected resource is disclosed. Exploiting this vulnerability requires a valid backend user account.

Solution

Update to TYPO3 versions 9.5.55 ELTS, 10.4.54 ELTS, 11.5.48 ELTS, 12.4.37 LTS, 13.4.18 LTS that fix the problem described.

Credits

Thanks to Dmitry Petschke and Marc Willmann for reporting this issue, and to TYPO3 core team member Andreas Kienast for fixing it.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.