Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-47937

CVE-2025-47937: TYPO3 CMS Information Disclosure Flaw

CVE-2025-47937 is an information disclosure vulnerability in TYPO3 CMS that exposes unauthorized data from multi-table database queries. This article covers technical details, affected versions, security impact, and mitigation.

Published:

CVE-2025-47937 Overview

CVE-2025-47937 is an authorization flaw [CWE-863] in TYPO3, an open source PHP-based content management system. The vulnerability affects TYPO3 versions from 9.0.0 through the fixed releases. When a database query joins multiple tables through the Database Abstraction Layer (DBAL), the FrontendGroupRestriction applies only to the first table. Data from additional joined tables can leak to unauthorized frontend users. The issue is remotely exploitable over the network without authentication or user interaction.

Critical Impact

Unauthenticated remote attackers can obtain frontend-restricted data from secondary tables in multi-table DBAL queries, leading to unauthorized information disclosure.

Affected Products

  • TYPO3 versions 9.0.0 through 9.5.50 ELTS
  • TYPO3 versions 10.0.0 through 10.4.49 ELTS, 11.0.0 through 11.5.43 ELTS
  • TYPO3 versions 12.0.0 through 12.4.30 LTS and 13.0.0 through 13.4.11 LTS

Discovery Timeline

  • 2025-05-20 - CVE-2025-47937 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-47937

Vulnerability Analysis

TYPO3 enforces frontend user group access controls through the FrontendGroupRestriction class within its DBAL layer. This restriction filters records based on the authenticated frontend user's group membership. When a query targets a single table, the restriction operates correctly and returns only records the user is permitted to see.

The defect appears in multi-table queries. The DBAL applies FrontendGroupRestriction only to the primary table referenced in the query. Additional tables joined into the same query bypass the group filter entirely. Rows that should be restricted to specific frontend groups are returned to any caller.

The flaw is classified as incorrect authorization [CWE-863]. It sits in shared query-building code, so any extension or core feature relying on multi-table DBAL queries inherits the exposure.

Root Cause

The FrontendGroupRestriction implementation binds its WHERE clause to the first table alias in the query. The DBAL restriction container does not iterate across every table participating in the join. Secondary tables receive no fe_group filter, allowing protected records to enter the result set.

Attack Vector

An unauthenticated attacker sends requests to a frontend endpoint that triggers a multi-table DBAL query. The response includes rows from secondary tables that were meant to be restricted by frontend group membership. Exploitation requires no credentials, no privileges, and no user interaction. The vulnerability affects confidentiality only; integrity and availability are unchanged.

The vulnerability is described in prose because no verified public exploit code is available. See the TYPO3 Security Advisory and the GitHub Security Advisory for technical details.

Detection Methods for CVE-2025-47937

Indicators of Compromise

  • Frontend HTTP requests returning content fields, records, or metadata that should be scoped to specific fe_group values.
  • Access log entries showing anonymous users retrieving pages or JSON responses containing records from restricted extensions.
  • Anomalous volumes of GET requests against listing views, search endpoints, or API routes backed by multi-table queries.

Detection Strategies

  • Audit installed TYPO3 extensions for custom repositories using QueryBuilder with join(), leftJoin(), or innerJoin() calls against tables containing an fe_group column.
  • Compare rendered frontend output for anonymous versus group-authenticated sessions to identify records that should not be visible.
  • Enable TYPO3 SQL query logging in staging and inspect generated queries for missing fe_group predicates on secondary tables.

Monitoring Recommendations

  • Forward web server and TYPO3 application logs to a centralized SIEM to baseline frontend request patterns and flag deviations.
  • Monitor for repeated unauthenticated access to endpoints that expose data from access-restricted content elements.
  • Track outbound response sizes on frontend URLs; sudden increases can indicate unrestricted result sets.

How to Mitigate CVE-2025-47937

Immediate Actions Required

  • Upgrade to TYPO3 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS.
  • Inventory all frontend-facing extensions that issue multi-table DBAL queries and confirm they receive the fixed core.
  • Rotate any sensitive records that may have been exposed while the vulnerable version was in production.

Patch Information

The TYPO3 project released fixes in 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS. Details are documented in TYPO3-CORE-SA-2025-011 and the GitHub Security Advisory GHSA-x8pv-fgxp-8v3x. Apply updates through Composer using composer update typo3/cms-core or the equivalent metapackage.

Workarounds

  • Refactor custom repositories to split multi-table queries into single-table queries where each result set is filtered against fe_group explicitly.
  • Add manual fe_group predicates to QueryBuilder calls for every joined table until the core patch is applied.
  • Restrict anonymous access to affected frontend routes via reverse proxy rules while patching is scheduled.
bash
# Update TYPO3 core to a fixed release via Composer
composer require typo3/cms-core:^13.4.12 --update-with-dependencies

# Verify installed version
./vendor/bin/typo3 --version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.