- Component Type: TYPO3 CMS
- Subcomponent: Backend Routing (ext:backend)
- Release Date: September 9, 2025
- Vulnerability Type: Broken Access Control
- Affected Versions:9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, 13.0.0-13.4.17
- Severity: Medium
- Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
- References: CVE-2025-59017, CWE-862
Problem Description
Dedicated AJAX routes used by TYPO3 backend modules were not protected by the same permission checks that guard the modules themselves. As a result, an authenticated backend user could directly call these routes - even if the user had no permissions to the corresponding module.
This allowed users to read, modify, or delete data directly - effectively bypassing module‑level restrictions.
Solution
Update to TYPO3 versions 9.5.55 ELTS, 10.4.54 ELTS, 11.5.48 ELTS, 12.4.37 LTS, 13.4.18 LTS that fix the problem described.
The AJAX route property inheritAccessFromModule is introduced. When this property is set, a route is explicitly bound to the permissions of a specified backend module.
In general, developers are advised to always verify authorization on target resources (pages, database tables, files, etc.) within the corresponding AJAX handler or controller. More details are available at https://docs.typo3.org/permalink/t3coreapi:be-user-check.
Credits
Thanks to TYPO3 security team member Elias Häußler for reporting and fixing this issue.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
General Note
All security-related code changes are tagged so you can easily look them up in our review system.