TYPO3-CORE-SA-2025-021: Broken Access Control in Backend AJAX Routes

Categories: Development, TYPO3 CMS Created by Oliver Hader
It has been discovered that TYPO3 CMS is susceptible to broken access control.


Problem Description

Dedicated AJAX routes used by TYPO3 backend modules were not protected by the same permission checks that guard the modules themselves. As a result, an authenticated backend user could directly call these routes - even if the user had no permissions to the corresponding module.
This allowed users to read, modify, or delete data directly - effectively bypassing module‑level restrictions.

Solution

Update to TYPO3 versions 9.5.55 ELTS, 10.4.54 ELTS, 11.5.48 ELTS, 12.4.37 LTS, 13.4.18 LTS that fix the problem described.

The AJAX route property inheritAccessFromModule is introduced. When this property is set, a route is explicitly bound to the permissions of a specified backend module.

In general, developers are advised to always verify authorization on target resources (pages, database tables, files, etc.) within the corresponding AJAX handler or controller. More details are available at https://docs.typo3.org/permalink/t3coreapi:be-user-check.

Credits

Thanks to TYPO3 security team member Elias Häußler for reporting and fixing this issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security-related code changes are tagged so you can easily look them up in our review system.