Denial of Service via Page Error Handling in TYPO3/cms
Description
TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as an error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded. Users are advised to update to TYPO3 version 11.5.16 to resolve this issue. There are no known workarounds for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TYPO3 CMS before 11.5.16 suffers from a self-referencing error handler that leads to a denial-of-service condition when invalid or non-existing resources are requested.
Vulnerability
Analysis
CVE-2022-36104 describes a denial-of-service vulnerability in TYPO3 CMS, affecting versions prior to 11.5.16. The root cause lies in the page error handler: when an HTTP request targets an invalid or non-existing resource, the error handler attempts to retrieve content from another page to display as an error message. This creates a recursive loop where the application calls itself repeatedly, amplifying the impact until the web server's resource limits are exhausted [1].
Attack
Surface and Exploitation
Exploitation requires no authentication and can be carried out by sending crafted HTTP requests to any TYPO3 installation running a vulnerable version. An attacker simply requests a non-existent path, which triggers the error handler's flawed logic. The attack does not require administrative privileges or special network access, making it remotely exploitable over the internet [1][2].
Impact
A successful attack results in a denial-of-service (DoS) condition, exhausting server resources such as CPU, memory, or connection limits, thereby rendering the web application unavailable to legitimate users. While the vulnerability does not lead to data compromise or privilege escalation, its low complexity and remote exploitability make it a viable vector for disrupting TYPO3-based websites [1].
Mitigation
The vulnerability is patched in TYPO3 version 11.5.16. Users are strongly advised to upgrade immediately, as there are no known workarounds [1]. The issue is tracked in the FriendsOfPHP security advisories for both the typo3/cms and typo3/cms-core components [3][4].
- NVD - CVE-2022-36104
- GitHub - TYPO3/typo3: The TYPO3 Core - Enterprise Content Management System. Synchronized mirror of https://review.typo3.org/q/project:Packages/TYPO3.CMS
- security-advisories/typo3/cms/CVE-2022-36104.yaml at master · FriendsOfPHP/security-advisories
- security-advisories/typo3/cms-core/CVE-2022-36104.yaml at master · FriendsOfPHP/security-advisories
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
typo3/cms-corePackagist | >= 11.4.0, < 11.5.16 | 11.5.16 |
typo3/cmsPackagist | >= 11.4.0, < 11.5.16 | 11.5.16 |
Affected products
4- osv-coords3 versions
>= 11.4.0, < 11.5.15+ 2 more
- (no CPE)range: >= 11.4.0, < 11.5.15
- (no CPE)range: >= 11.4.0, < 11.5.16
- (no CPE)range: >= 11.4.0, < 11.5.16
Patches
2179dd7cd7894[SECURITY] Mitigate denial-of-service scenarios in page error handler
1 file changed · +7 −0
typo3/sysext/core/Classes/Error/PageErrorHandler/PageContentErrorHandler.php+7 −0 modified@@ -95,6 +95,13 @@ public function handlePageError(ServerRequestInterface $request, string $message $urlParams['pageuid'] = (int)($urlParams['pageuid'] ?? 0); $resolvedUrl = $this->resolveUrl($request, $urlParams); + // avoid denial-of-service amplification scenario + if ($resolvedUrl === (string)$request->getUri()) { + return new HtmlResponse( + 'The error page could not be resolved, as the error page itself is not accessible', + $this->statusCode + ); + } if ($this->useSubrequest) { // Create a subrequest and do not take any special query parameters into account $subRequest = $request->withQueryParams([])->withUri(new Uri($resolvedUrl))->withMethod('GET');
fc51ccbf2bb8[SECURITY] Mitigate denial-of-service scenarios in page error handler
1 file changed · +7 −0
typo3/sysext/core/Classes/Error/PageErrorHandler/PageContentErrorHandler.php+7 −0 modified@@ -95,6 +95,13 @@ public function handlePageError(ServerRequestInterface $request, string $message $urlParams['pageuid'] = (int)($urlParams['pageuid'] ?? 0); $resolvedUrl = $this->resolveUrl($request, $urlParams); + // avoid denial-of-service amplification scenario + if ($resolvedUrl === (string)$request->getUri()) { + return new HtmlResponse( + 'The error page could not be resolved, as the error page itself is not accessible', + $this->statusCode + ); + } if ($this->useSubrequest) { // Create a subrequest and do not take any special query parameters into account $subRequest = $request->withQueryParams([])->withUri(new Uri($resolvedUrl))->withMethod('GET');
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-fffr-7x4x-f98qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-36104ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-36104.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-36104.yamlghsaWEB
- github.com/TYPO3/typo3/commit/179dd7cd78947081d573fee2050e197faa556f13ghsax_refsource_MISCWEB
- github.com/TYPO3/typo3/commit/fc51ccbf2bb8a8c959aa74cbceca124971e6e7fdghsaWEB
- github.com/TYPO3/typo3/security/advisories/GHSA-fffr-7x4x-f98qghsax_refsource_CONFIRMWEB
- typo3.org/security/advisory/typo3-core-sa-2022-006ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.