Denial of Service in Page Error Handling
Description
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.25, 10.4.14, 11.1.1 requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded. This is fixed in versions 9.5.25, 10.4.14, 11.1.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TYPO3 CMS is vulnerable to a denial-of-service attack via recursive error page handling, fixed in versions 9.5.25, 10.4.14, and 11.1.1.
CVE-2021-21359 is a denial-of-service (DoS) vulnerability in TYPO3, an open-source PHP-based CMS. The root cause lies in the error handler for invalid or non-existing resources. When a request triggers the page error handler, it can retrieve content from another page to display as the error message. This design allows the application to recursively call itself, amplifying each request until web server limits are exceeded [2].
Exploitation
An attacker can exploit this vulnerability by sending HTTP requests for invalid or non-existing resources. No authentication is required, as the attack targets the unauthenticated error-handling path. Each recursive cycle increases the load on the server, eventually consuming all resources [2].
Impact
Successful exploitation leads to resource exhaustion of the web server, causing a denial of service. The impact is limited to availability; data integrity or confidentiality are not directly affected. The vulnerability can be triggered remotely via simple HTTP requests [2].
Mitigation
The issue is fixed in TYPO3 versions 9.5.25, 10.4.14, and 11.1.1 [2]. Users should upgrade immediately. No workarounds are documented, but restricting access to the error handler via web server configuration may reduce exposure. It is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
typo3/cms-corePackagist | >= 10.0.0, < 10.4.14 | 10.4.14 |
typo3/cms-corePackagist | >= 11.0.0, < 11.1.1 | 11.1.1 |
typo3/cms-corePackagist | >= 9.0.0, < 9.5.25 | 9.5.25 |
typo3/cmsPackagist | >= 10.0.0, < 10.4.14 | 10.4.14 |
typo3/cmsPackagist | >= 11.0.0, < 11.1.1 | 11.1.1 |
typo3/cmsPackagist | >= 9.0.0, < 9.5.25 | 9.5.25 |
Affected products
4- osv-coords3 versions
>= 9.0.0, < 9.5.25+ 2 more
- (no CPE)range: >= 9.0.0, < 9.5.25
- (no CPE)range: >= 10.0.0, < 10.4.14
- (no CPE)range: >= 10.0.0, < 10.4.14
- TYPO3/TYPO3.CMSv5Range: >= 9.0.0, <= 9.5.24
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-4p9g-qgx9-397pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21359ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21359.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21359.yamlghsaWEB
- github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-4p9g-qgx9-397pghsax_refsource_CONFIRMWEB
- packagist.org/packages/typo3/cms-coreghsax_refsource_MISCWEB
- typo3.org/security/advisory/typo3-core-sa-2021-005ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.