Moderate severityNVD Advisory· Published Feb 13, 2024· Updated Aug 1, 2024

Information Disclosure of Encryption Key in TYPO3 Install Tool

CVE-2024-25119

Description

TYPO3 is an open source PHP based web content management system released under the GNU GPL. The plaintext value of $GLOBALS['SYS']['encryptionKey'] was displayed in the editing forms of the TYPO3 Install Tool user interface. This allowed attackers to utilize the value to generate cryptographic hashes used for verifying the authenticity of HTTP request parameters. Exploiting this vulnerability requires an administrator-level backend user account with system maintainer permissions. Users are advised to update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. There are no known workarounds for this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TYPO3 Install Tool discloses plaintext encryption key in editing forms, enabling attackers to forge cryptographic hashes for request parameter tampering.

Vulnerability

Description The TYPO3 Install Tool user interface inadvertently displayed the plaintext value of $GLOBALS['SYS']['encryptionKey'] in its editing forms. This key is a critical security secret used for various cryptographic operations, including generating hashes that verify the authenticity of HTTP request parameters [1][3]. The disclosure occurs because the key was shown as a regular configuration field in the Install Tool's UI [4].

Attack

Vector and Prerequisites Exploitation requires an administrator-level backend user account with system maintainer permissions, meaning the attacker must already have high privileges within the TYPO3 backend [1][3]. The attack is performed over the network (AV:N) with low complexity (AC:L), as the encryption key is simply visible in the exposed form fields once authenticated [3]. No user interaction is needed beyond the initial authentication [3].

Impact

With knowledge of the plaintext encryption key, an attacker can generate valid cryptographic hashes used for verifying HTTP request parameters. This undermines the integrity of request validation, potentially allowing the attacker to craft malicious requests that would be accepted as legitimate [1][3]. The scope of impact is limited to confidentiality of the encryption key data (C:H), but does not directly affect integrity or availability of other system components [3].

Mitigation

The vulnerability has been fixed in TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, and 13.0.1 [1][3]. The fix removes the encryption key field from the Install Tool editing form, preventing its disclosure [4]. No workarounds are available; updating to a patched version is the only remediation [1][3].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
typo3/cms-corePackagist	>= 8.0.0, < 8.7.57	8.7.57
typo3/cms-corePackagist	>= 9.0.0, < 9.5.46	9.5.46
typo3/cms-corePackagist	>= 10.0.0, < 10.4.43	10.4.43
typo3/cms-corePackagist	>= 11.0.0, < 11.5.35	11.5.35
typo3/cms-corePackagist	>= 12.0.0, < 12.4.11	12.4.11
typo3/cms-corePackagist	>= 13.0.0, < 13.0.1	13.0.1

Affected products

ghsa-coords
pkg:composer/typo3/cms-core
Range: >= 8.0.0, < 8.7.57
TYPO3/Typo3v5
Range: >= 13.0.0, < 13.0.1

Patches

14d101359c71

[SECURITY] Do not disclose encryptionKey via InstallTool

https://github.com/TYPO3/typo3Benjamin FranzkeFeb 13, 2024via ghsa

commit

4 files changed · +12 −5

typo3/sysext/core/Classes/Configuration/ConfigurationManager.php+1 −0 modified

@@ -69,6 +69,7 @@ class ConfigurationManager
         'EXTCONF',
         'DB',
         'SYS/caching/cacheConfigurations',
+        'SYS/encryptionKey',
         'SYS/session',
         'EXTENSIONS',
     ];

typo3/sysext/core/Classes/Log/Writer/FileWriter.php+11 −1 modified

@@ -66,7 +66,10 @@ public function __construct(array $options = [])
     {
         // the parent constructor reads $options and sets them
         parent::__construct($options);
-        if (empty($options['logFile'])) {
+        if (empty($options['logFile']) &&
+            // omit logging if TYPO3 has not been configured (avoid creating a guessable filename)
+            ($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'] ?? '') !== ''
+        ) {
             $this->setLogFile($this->getDefaultLogFileName());
         }
     }
@@ -76,6 +79,9 @@ public function __construct(array $options = [])
      */
     public function __destruct()
     {
+        if ($this->logFile === '') {
+            return;
+        }
         self::$logFileHandlesCount[$this->logFile]--;
         if (self::$logFileHandlesCount[$this->logFile] <= 0) {
             $this->closeLogFile();
@@ -130,6 +136,10 @@ public function getLogFile(): string
      */
     public function writeLog(LogRecord $record)
     {
+        if ($this->logFile === '') {
+            return $this;
+        }
+
         $data = '';
         $context = $record->getData();
         $message = $record->getMessage();

typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml+0 −3 modified

@@ -64,9 +64,6 @@ SYS:
         sitename:
             type: text
             description: 'Name of the base-site.'
-        encryptionKey:
-            type: text
-            description: 'This is a "salt" used for various kinds of encryption, CRC checksums and validations. You can enter any rubbish string here but try to keep it secret. You should notice that a change to this value might invalidate temporary information, URLs etc. At least, clear all cache if you change this so any such information can be rebuilt with the new key.'
         cookieDomain:
             type: text
             description: 'Restricts the domain name for FE and BE session cookies. When setting the value to ".domain.com" (replace domain.com with your domain!), login sessions will be shared across subdomains. Alternatively, if you have more than one domain with sub-domains, you can set the value to a regular expression to match against the domain of the HTTP request. The result of the match is used as the domain for the cookie. eg. <code>/\.(example1|example2)\.com$/</code> or <code>/\.(example1\.com)|(example2\.net)$/</code>. Separate domains for FE and BE can be set using <a href="#FE-cookieDomain">$TYPO3_CONF_VARS[''FE''][''cookieDomain'']</a> and <a href="#BE-cookieDomain">$TYPO3_CONF_VARS[''BE''][''cookieDomain'']</a> respectively.'

typo3/sysext/core/Configuration/DefaultConfiguration.php+0 −1 modified

@@ -89,7 +89,6 @@
         ],
         'createGroup' => '',
         'sitename' => 'TYPO3',
-        'encryptionKey' => '',
         'cookieDomain' => '',
         'trustedHostsPattern' => 'SERVER_NAME',
         'devIPmask' => '127.0.0.1,::1',

df486372ea56

[SECURITY] Do not disclose encryptionKey via InstallTool

https://github.com/TYPO3/typo3Benjamin FranzkeFeb 13, 2024via ghsa

commit

6 files changed · +21 −5

typo3/sysext/core/Classes/Configuration/ConfigurationManager.php+1 −0 modified

@@ -66,6 +66,7 @@ class ConfigurationManager
         'EXTCONF',
         'DB',
         'SYS/caching/cacheConfigurations',
+        'SYS/encryptionKey',
         'SYS/session',
         'EXTENSIONS',
     ];

typo3/sysext/core/Classes/Log/Writer/FileWriter.php+11 −1 modified

@@ -66,7 +66,10 @@ public function __construct(array $options = [])
     {
         // the parent constructor reads $options and sets them
         parent::__construct($options);
-        if (empty($options['logFile'])) {
+        if (empty($options['logFile']) &&
+            // omit logging if TYPO3 has not been configured (avoid creating a guessable filename)
+            ($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'] ?? '') !== ''
+        ) {
             $this->setLogFile($this->getDefaultLogFileName());
         }
     }
@@ -76,6 +79,9 @@ public function __construct(array $options = [])
      */
     public function __destruct()
     {
+        if ($this->logFile === '') {
+            return;
+        }
         self::$logFileHandlesCount[$this->logFile]--;
         if (self::$logFileHandlesCount[$this->logFile] <= 0) {
             $this->closeLogFile();
@@ -130,6 +136,10 @@ public function getLogFile(): string
      */
     public function writeLog(LogRecord $record)
     {
+        if ($this->logFile === '') {
+            return $this;
+        }
+
         $data = '';
         $context = $record->getData();
         $message = $record->getMessage();

typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml+0 −3 modified

@@ -76,9 +76,6 @@ SYS:
         sitename:
             type: text
             description: 'Name of the base-site.'
-        encryptionKey:
-            type: text
-            description: 'This is a "salt" used for various kinds of encryption, CRC checksums and validations. You can enter any rubbish string here but try to keep it secret. You should notice that a change to this value might invalidate temporary information, URLs etc. At least, clear all cache if you change this so any such information can be rebuilt with the new key.'
         cookieDomain:
             type: text
             description: 'Restricts the domain name for FE and BE session cookies. When setting the value to ".domain.com" (replace domain.com with your domain!), login sessions will be shared across subdomains. Alternatively, if you have more than one domain with sub-domains, you can set the value to a regular expression to match against the domain of the HTTP request. The result of the match is used as the domain for the cookie. eg. <code>/\.(example1|example2)\.com$/</code> or <code>/\.(example1\.com)|(example2\.net)$/</code>. Separate domains for FE and BE can be set using <a href="#FE-cookieDomain">$TYPO3_CONF_VARS[''FE''][''cookieDomain'']</a> and <a href="#BE-cookieDomain">$TYPO3_CONF_VARS[''BE''][''cookieDomain'']</a> respectively.'

typo3/sysext/core/Configuration/DefaultConfiguration.php+0 −1 modified

@@ -81,7 +81,6 @@
         ],
         'createGroup' => '',
         'sitename' => 'TYPO3',
-        'encryptionKey' => '',
         'cookieDomain' => '',
         'trustedHostsPattern' => 'SERVER_NAME',
         'devIPmask' => '127.0.0.1,::1',

typo3/sysext/core/Tests/UnitDeprecated/TypoScript/Parser/TypoScriptParserTest.php+2 −0 modified

@@ -667,7 +667,9 @@ public static function importFilesDataProvider(): array
      */
     public function importFiles(string $typoScript, string $expected): void
     {
+        $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'] = 'secret-encryption-key-test';
         $resolvedIncludeLines = TypoScriptParser::checkIncludeLines($typoScript);
+        unset($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']);
         self::assertEquals($expected, $resolvedIncludeLines);
     }

typo3/sysext/extbase/Tests/UnitDeprecated/Mvc/Web/Routing/UriBuilderTest.php+7 −0 modified

@@ -37,13 +37,20 @@ protected function setUp(): void
     {
         parent::setUp();
         $this->mockExtensionService = $this->createMock(ExtensionService::class);
+        $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'] = 'secret-encryption-key-test';
         $this->subject = $this->getAccessibleMock(UriBuilder::class, ['build']);
         $this->subject->setRequest($this->createMock(Request::class));
         $this->subject->injectConfigurationManager($this->createMock(ConfigurationManagerInterface::class));
         $this->subject->injectExtensionService($this->mockExtensionService);
         $this->subject->_set('contentObject', $this->createMock(ContentObjectRenderer::class));
     }
 
+    protected function tearDown(): void
+    {
+        unset($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']);
+        parent::tearDown();
+    }
+
     /**
      * @test
      */

fa12667c0463

[SECURITY] Do not disclose encryptionKey via InstallTool

https://github.com/TYPO3/typo3Benjamin FranzkeFeb 13, 2024via ghsa

commit

6 files changed · +32 −5

typo3/sysext/core/Classes/Configuration/ConfigurationManager.php+1 −0 modified

@@ -78,6 +78,7 @@ class ConfigurationManager
         'EXTCONF',
         'DB',
         'SYS/caching/cacheConfigurations',
+        'SYS/encryptionKey',
         'SYS/session',
         'EXTENSIONS',
     ];

typo3/sysext/core/Classes/Log/Writer/FileWriter.php+11 −1 modified

@@ -68,7 +68,10 @@ public function __construct(array $options = [])
     {
         // the parent constructor reads $options and sets them
         parent::__construct($options);
-        if (empty($options['logFile'])) {
+        if (empty($options['logFile']) &&
+            // omit logging if TYPO3 has not been configured (avoid creating a guessable filename)
+            ($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'] ?? '') !== ''
+        ) {
             $this->setLogFile($this->getDefaultLogFileName());
         }
     }
@@ -78,6 +81,9 @@ public function __construct(array $options = [])
      */
     public function __destruct()
     {
+        if ($this->logFile === '') {
+            return;
+        }
         self::$logFileHandlesCount[$this->logFile]--;
         if (self::$logFileHandlesCount[$this->logFile] <= 0) {
             $this->closeLogFile();
@@ -132,6 +138,10 @@ public function getLogFile(): string
      */
     public function writeLog(LogRecord $record)
     {
+        if ($this->logFile === '') {
+            return $this;
+        }
+
         $data = '';
         $context = $record->getData();
         $message = $record->getMessage();

typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml+0 −3 modified

@@ -80,9 +80,6 @@ SYS:
         sitename:
             type: text
             description: 'Name of the base-site.'
-        encryptionKey:
-            type: text
-            description: 'This is a "salt" used for various kinds of encryption, CRC checksums and validations. You can enter any rubbish string here but try to keep it secret. You should notice that a change to this value might invalidate temporary information, URLs etc. At least, clear all cache if you change this so any such information can be rebuilt with the new key.'
         cookieDomain:
             type: text
             description: 'Restricts the domain name for FE and BE session cookies. When setting the value to ".domain.com" (replace domain.com with your domain!), login sessions will be shared across subdomains. Alternatively, if you have more than one domain with sub-domains, you can set the value to a regular expression to match against the domain of the HTTP request. The result of the match is used as the domain for the cookie. eg. <code>/\.(example1|example2)\.com$/</code> or <code>/\.(example1\.com)|(example2\.net)$/</code>. Separate domains for FE and BE can be set using <a href="#FE-cookieDomain">$TYPO3_CONF_VARS[''FE''][''cookieDomain'']</a> and <a href="#BE-cookieDomain">$TYPO3_CONF_VARS[''BE''][''cookieDomain'']</a> respectively.'

typo3/sysext/core/Configuration/DefaultConfiguration.php+0 −1 modified

@@ -83,7 +83,6 @@
         ],
         'createGroup' => '',
         'sitename' => 'TYPO3',
-        'encryptionKey' => '',
         'cookieDomain' => '',
         'trustedHostsPattern' => 'SERVER_NAME',
         'devIPmask' => '127.0.0.1,::1',

typo3/sysext/core/Tests/UnitDeprecated/Cache/Backend/PdoBackendTest.php+12 −0 modified

@@ -36,6 +36,18 @@ class PdoBackendTest extends UnitTestCase
      */
     protected $resetSingletonInstances = true;
 
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'] = 'secret-encryption-key-test';
+    }
+
+    protected function tearDown(): void
+    {
+        unset($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']);
+        parent::tearDown();
+    }
+
     /**
      * @test
      */

typo3/sysext/frontend/Tests/UnitDeprecated/ContentObject/ContentObjectRendererTest.php+8 −0 modified

@@ -121,6 +121,8 @@ protected function setUp(): void
     {
         parent::setUp();
 
+        $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'] = 'secret-encryption-key-test';
+
         $site = $this->createSiteWithLanguage([
             'base' => '/',
             'languageId' => 2,
@@ -172,6 +174,12 @@ protected function setUp(): void
         $this->subject->start([], 'tt_content');
     }
 
+    protected function tearDown(): void
+    {
+        unset($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']);
+        parent::tearDown();
+    }
+
     /**
      * @return array
      */

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-h47m-3f78-qp9gghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-25119ghsaADVISORY
github.com/TYPO3/typo3/commit/14d101359c71ee963cf51ad0c8ae777b7b9ec9a1ghsaWEB
github.com/TYPO3/typo3/commit/df486372ea56fac241d3c96ad43a7729fee64557ghsaWEB
github.com/TYPO3/typo3/commit/fa12667c046342ebfd9b159c646aeafdbc52fcfdghsaWEB
github.com/TYPO3/typo3/security/advisories/GHSA-h47m-3f78-qp9gghsax_refsource_CONFIRMWEB
typo3.org/security/advisory/typo3-core-sa-2024-004ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000