User Enumeration via Response Timing in TYPO3
Description
TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that observing response time during user authentication (backend and frontend) can be used to distinguish between existing and non-existing user accounts. Extension authors of 3rd party TYPO3 extensions providing a custom authentication service should check if the extension is affected by the described problem. Affected extensions must implement new MimicServiceInterface::mimicAuthUser, which simulates corresponding times regular processing would usually take. Update to TYPO3 version 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32 or 11.5.16 that fix this problem. There are no known workarounds for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TYPO3 user authentication response times can be used to enumerate valid accounts; fixed in versions 7.6.58, 8.7.48, 9.5.37, 10.4.32, 11.5.16.
CVE-2022-36105 describes an observable timing discrepancy in TYPO3's user authentication process (CWE-208). By measuring the response time of login attempts, an attacker can differentiate between existing and non-existing user accounts [1].
An attacker can exploit this issue by sending authentication requests to the backend or frontend login forms and recording the server response times. No special privileges are required; only network access to the TYPO3 instance is needed [1].
The impact is user enumeration, which can facilitate targeted attacks such as credential stuffing or brute-force attacks on known valid usernames. This information leakage does not directly compromise accounts but lowers the barrier for subsequent attacks [1].
TYPO3 has released patches for all affected branches: 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32, and 11.5.16. The fix introduces a new MimicServiceInterface that simulates password hashing for invalid authentication attempts, equalizing processing times [3][4]. No workarounds are available, so upgrading is essential [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
typo3/cms-corePackagist | >= 7.0.0, < 7.6.58 | 7.6.58 |
typo3/cms-corePackagist | >= 8.0.0, < 8.7.48 | 8.7.48 |
typo3/cms-corePackagist | >= 9.0.0, < 9.5.37 | 9.5.37 |
typo3/cms-corePackagist | >= 10.0.0, < 10.4.32 | 10.4.32 |
typo3/cms-corePackagist | >= 11.0.0, < 11.5.16 | 11.5.16 |
typo3/cmsPackagist | >= 10.0.0, < 10.4.32 | 10.4.32 |
typo3/cmsPackagist | >= 11.0.0, < 11.5.16 | 11.5.16 |
Affected products
4- osv-coords3 versions
>= 7.0.0, < 7.6.57+ 2 more
- (no CPE)range: >= 7.0.0, < 7.6.57
- (no CPE)range: >= 10.0.0, < 10.4.32
- (no CPE)range: >= 7.0.0, < 7.6.58
Patches
2f8b83ce15d4e[SECURITY] Mitigate timing discrepancies during user authentication
3 files changed · +61 −1
typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php+9 −0 modified@@ -579,6 +579,15 @@ public function checkAuthentication(ServerRequestInterface $request) break; } } + // mimic user authentication to mitigate observable timing discrepancies + // @link https://cwe.mitre.org/data/definitions/208.html + } elseif ($activeLogin) { + $subType = 'authUser' . $this->loginType; + foreach ($this->getAuthServices($subType, $loginData, $authInfo) as $serviceObj) { + if ($serviceObj instanceof MimicServiceInterface && $serviceObj->mimicAuthUser() === false) { + break; + } + } } // If user is authenticated a valid user is in $tempuser
typo3/sysext/core/Classes/Authentication/AuthenticationService.php+17 −1 modified@@ -28,7 +28,7 @@ /** * Authentication services class */ -class AuthenticationService extends AbstractAuthenticationService +class AuthenticationService extends AbstractAuthenticationService implements MimicServiceInterface { /** * Process the submitted credentials. @@ -174,6 +174,22 @@ public function authUser(array $user): int return 200; } + /** + * Mimics password hashing for invalid authentication requests to mitigate + * @link https://cwe.mitre.org/data/definitions/208.html: CWE-208: Observable Timing Discrepancy + */ + public function mimicAuthUser(): bool + { + try { + $hashFactory = GeneralUtility::makeInstance(PasswordHashFactory::class); + $defaultHashInstance = $hashFactory->getDefaultHashInstance($this->pObj->loginType); + $defaultHashInstance->getHashedPassword(random_bytes(10)); + } catch (\Exception) { + // no further processing here + } + return false; + } + /** * Method updates a FE/BE user record - in this case a new password string will be set. *
typo3/sysext/core/Classes/Authentication/MimicServiceInterface.php+35 −0 added@@ -0,0 +1,35 @@ +<?php + +declare(strict_types=1); + +/* + * This file is part of the TYPO3 CMS project. + * + * It is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License, either version 2 + * of the License, or any later version. + * + * For the full copyright and license information, please read the + * LICENSE.txt file that was distributed with this source code. + * + * The TYPO3 project - inspiring people to share! + */ + +namespace TYPO3\CMS\Core\Authentication; + +interface MimicServiceInterface +{ + /** + * Mimics user authentication for known invalid authentication requests. This method can be used + * to mitigate timing discrepancies for invalid authentication attempts, which can be used for + * user enumeration. + * + * Authentication services can implement this method to simulate(!) corresponding processes that + * would be processed during valid requests - e.g. perform password hashing (timing) or call + * remote services (network latency). + * + * @return bool whether other services shall continue + * @link https://cwe.mitre.org/data/definitions/208.html: CWE-208: Observable Timing Discrepancy + */ + public function mimicAuthUser(): bool; +}
f0fc9c4cd7c3[SECURITY] Mitigate timing discrepancies during user authentication
3 files changed · +61 −1
typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php+9 −0 modified@@ -590,6 +590,15 @@ public function checkAuthentication(ServerRequestInterface $request = null) break; } } + // mimic user authentication to mitigate observable timing discrepancies + // @link https://cwe.mitre.org/data/definitions/208.html + } elseif ($activeLogin) { + $subType = 'authUser' . $this->loginType; + foreach ($this->getAuthServices($subType, $loginData, $authInfo) as $serviceObj) { + if ($serviceObj instanceof MimicServiceInterface && $serviceObj->mimicAuthUser() === false) { + break; + } + } } // If user is authenticated a valid user is in $tempuser
typo3/sysext/core/Classes/Authentication/AuthenticationService.php+17 −1 modified@@ -28,7 +28,7 @@ /** * Authentication services class */ -class AuthenticationService extends AbstractAuthenticationService +class AuthenticationService extends AbstractAuthenticationService implements MimicServiceInterface { /** * Process the submitted credentials. @@ -174,6 +174,22 @@ public function authUser(array $user): int return 200; } + /** + * Mimics password hashing for invalid authentication requests to mitigate + * @link https://cwe.mitre.org/data/definitions/208.html: CWE-208: Observable Timing Discrepancy + */ + public function mimicAuthUser(): bool + { + try { + $hashFactory = GeneralUtility::makeInstance(PasswordHashFactory::class); + $defaultHashInstance = $hashFactory->getDefaultHashInstance($this->pObj->loginType); + $defaultHashInstance->getHashedPassword(random_bytes(10)); + } catch (\Exception $exception) { + // no further processing here + } + return false; + } + /** * Method updates a FE/BE user record - in this case a new password string will be set. *
typo3/sysext/core/Classes/Authentication/MimicServiceInterface.php+35 −0 added@@ -0,0 +1,35 @@ +<?php + +declare(strict_types=1); + +/* + * This file is part of the TYPO3 CMS project. + * + * It is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License, either version 2 + * of the License, or any later version. + * + * For the full copyright and license information, please read the + * LICENSE.txt file that was distributed with this source code. + * + * The TYPO3 project - inspiring people to share! + */ + +namespace TYPO3\CMS\Core\Authentication; + +interface MimicServiceInterface +{ + /** + * Mimics user authentication for known invalid authentication requests. This method can be used + * to mitigate timing discrepancies for invalid authentication attempts, which can be used for + * user enumeration. + * + * Authentication services can implement this method to simulate(!) corresponding processes that + * would be processed during valid requests - e.g. perform password hashing (timing) or call + * remote services (network latency). + * + * @return bool whether other services shall continue + * @link https://cwe.mitre.org/data/definitions/208.html: CWE-208: Observable Timing Discrepancy + */ + public function mimicAuthUser(): bool; +}
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-m392-235j-9r7rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-36105ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-36105.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-36105.yamlghsaWEB
- github.com/TYPO3/typo3/commit/f0fc9c4cd7c38207c30dd158de53ee5d9d6f41a2ghsaWEB
- github.com/TYPO3/typo3/commit/f8b83ce15d4ea275a5a5e564e5d324242f7937b6ghsax_refsource_MISCWEB
- github.com/TYPO3/typo3/security/advisories/GHSA-m392-235j-9r7rghsax_refsource_CONFIRMWEB
- typo3.org/security/advisory/typo3-core-sa-2022-007ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.