CVE-2025-47937 Overview
CVE-2025-47937 is an authorization flaw [CWE-863] in TYPO3, an open source PHP-based content management system. The vulnerability affects TYPO3 versions from 9.0.0 through the fixed releases. When a database query joins multiple tables through the Database Abstraction Layer (DBAL), the FrontendGroupRestriction applies only to the first table. Data from additional joined tables can leak to unauthorized frontend users. The issue is remotely exploitable over the network without authentication or user interaction.
Critical Impact
Unauthenticated remote attackers can obtain frontend-restricted data from secondary tables in multi-table DBAL queries, leading to unauthorized information disclosure.
Affected Products
- TYPO3 versions 9.0.0 through 9.5.50 ELTS
- TYPO3 versions 10.0.0 through 10.4.49 ELTS, 11.0.0 through 11.5.43 ELTS
- TYPO3 versions 12.0.0 through 12.4.30 LTS and 13.0.0 through 13.4.11 LTS
Discovery Timeline
- 2025-05-20 - CVE-2025-47937 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-47937
Vulnerability Analysis
TYPO3 enforces frontend user group access controls through the FrontendGroupRestriction class within its DBAL layer. This restriction filters records based on the authenticated frontend user's group membership. When a query targets a single table, the restriction operates correctly and returns only records the user is permitted to see.
The defect appears in multi-table queries. The DBAL applies FrontendGroupRestriction only to the primary table referenced in the query. Additional tables joined into the same query bypass the group filter entirely. Rows that should be restricted to specific frontend groups are returned to any caller.
The flaw is classified as incorrect authorization [CWE-863]. It sits in shared query-building code, so any extension or core feature relying on multi-table DBAL queries inherits the exposure.
Root Cause
The FrontendGroupRestriction implementation binds its WHERE clause to the first table alias in the query. The DBAL restriction container does not iterate across every table participating in the join. Secondary tables receive no fe_group filter, allowing protected records to enter the result set.
Attack Vector
An unauthenticated attacker sends requests to a frontend endpoint that triggers a multi-table DBAL query. The response includes rows from secondary tables that were meant to be restricted by frontend group membership. Exploitation requires no credentials, no privileges, and no user interaction. The vulnerability affects confidentiality only; integrity and availability are unchanged.
The vulnerability is described in prose because no verified public exploit code is available. See the TYPO3 Security Advisory and the GitHub Security Advisory for technical details.
Detection Methods for CVE-2025-47937
Indicators of Compromise
- Frontend HTTP requests returning content fields, records, or metadata that should be scoped to specific fe_group values.
- Access log entries showing anonymous users retrieving pages or JSON responses containing records from restricted extensions.
- Anomalous volumes of GET requests against listing views, search endpoints, or API routes backed by multi-table queries.
Detection Strategies
- Audit installed TYPO3 extensions for custom repositories using QueryBuilder with join(), leftJoin(), or innerJoin() calls against tables containing an fe_group column.
- Compare rendered frontend output for anonymous versus group-authenticated sessions to identify records that should not be visible.
- Enable TYPO3 SQL query logging in staging and inspect generated queries for missing fe_group predicates on secondary tables.
Monitoring Recommendations
- Forward web server and TYPO3 application logs to a centralized SIEM to baseline frontend request patterns and flag deviations.
- Monitor for repeated unauthenticated access to endpoints that expose data from access-restricted content elements.
- Track outbound response sizes on frontend URLs; sudden increases can indicate unrestricted result sets.
How to Mitigate CVE-2025-47937
Immediate Actions Required
- Upgrade to TYPO3 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS.
- Inventory all frontend-facing extensions that issue multi-table DBAL queries and confirm they receive the fixed core.
- Rotate any sensitive records that may have been exposed while the vulnerable version was in production.
Patch Information
The TYPO3 project released fixes in 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS. Details are documented in TYPO3-CORE-SA-2025-011 and the GitHub Security Advisory GHSA-x8pv-fgxp-8v3x. Apply updates through Composer using composer update typo3/cms-core or the equivalent metapackage.
Workarounds
- Refactor custom repositories to split multi-table queries into single-table queries where each result set is filtered against fe_group explicitly.
- Add manual fe_group predicates to QueryBuilder calls for every joined table until the core patch is applied.
- Restrict anonymous access to affected frontend routes via reverse proxy rules while patching is scheduled.
# Update TYPO3 core to a fixed release via Composer
composer require typo3/cms-core:^13.4.12 --update-with-dependencies
# Verify installed version
./vendor/bin/typo3 --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

