- Release Date: November 12, 2025
- Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
- Component: “Forms Export” (frp_form_answers)
- Composer Package Name: frappant/frp-form-answers
- Vulnerability Type: Server-Side Request Forgery
- Affected Versions: 5.0.3 and below, 6.0.0 - 6.1.1
- Severity: High
- Suggested CVSS v4.0: AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
- References: CVE-2025-54370, CWE-918
Problem Description
The TER extension bundles the PHP package “phpoffice/phpspreadsheet”, which is affected by a Server-Side Request Forgery vulnerability.
Note: The extension does not bundle the PHP package “phpoffice/phpspreadsheet” anymore. The Excel Export feature does only work, when the extension is installed via composer.
Solution
Updated versions 5.0.4 and 6.1.2 are available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/frp_form_answers/5.0.4/zip
https://extensions.typo3.org/extension/download/frp_form_answers/6.1.2/zip
Users of the extension are advised to update the extension as soon as possible.
Credits
Thanks to Mikel Wohlschlegel for reporting the vulnerability and to Jonas Hirschi for providing updated versions of the extension.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.