CVE-2025-59016

Description

Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17 allow backend users to disclose full file paths via failed low-level file-system operations.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

Low

User Interaction

None

Confidentiality (Vulnerable System)

Low

Integrity (Vulnerable System)

None

Availability (Vulnerable System)

None

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

Affected products

TYPO3 / TYPO3 CMS9.0.0 – 9.5.55
TYPO3 / TYPO3 CMS10.0.0 – 10.4.54
TYPO3 / TYPO3 CMS11.0.0 – 11.5.48
TYPO3 / TYPO3 CMS12.0.0 – 12.4.37
TYPO3 / TYPO3 CMS13.0.0 – 13.4.18

References

MISChttps://typo3.org/security/advisory/typo3-core-sa-2025-020