TYPO3 Vulnerable to Information Disclosure via DBAL Restriction Handling
Description
TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, when performing a database query involving multiple tables through the database abstraction layer (DBAL), frontend user permissions are only applied via FrontendGroupRestriction to the first table. As a result, data from additional tables included in the same query may be unintentionally exposed to unauthorized users. Users should update to TYPO3 version 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS to fix the problem.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TYPO3 CMS DBAL fails to apply frontend user restrictions to all tables in multi-table queries, potentially exposing data to unauthorized users.
Vulnerability
Description
CVE-2025-47937 is an information disclosure vulnerability in TYPO3 CMS affecting versions 9.0.0 through 9.5.50, 10.0.0 through 10.4.49, 11.0.0 through 11.5.43, 12.0.0 through 12.4.30, and 13.0.0 through 13.4.11 [1][3][4]. The root cause lies in the database abstraction layer (DBAL): when a query involves multiple tables, the FrontendGroupRestriction permission check is only applied to the first table. Consequently, data from subsequent tables in the same query may be returned without proper authorization checks [3][4].
Exploitation
Conditions
An attacker can exploit this flaw by crafting frontend requests that trigger database queries joining multiple tables. The vulnerability is remotely exploitable without authentication, though the attack complexity is considered high (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) [3]. Successful exploitation requires the attacker to identify or induce a multi-table query where the additional tables contain sensitive information that should be restricted based on frontend user groups [1][4].
Impact
The impact is limited to low-severity information disclosure. An unauthenticated attacker may gain access to data from tables that were intended to be protected by frontend user group restrictions. No modification or deletion of data is possible, and the vulnerability does not affect system availability [3][4].
Mitigation
TYPO3 has released patched versions that correct the restriction logic: 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS [1][3][4]. Users are strongly advised to update to these versions. No workarounds have been published, and the vulnerability is not known to be exploited in the wild as of the advisory date.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
typo3/cms-corePackagist | >= 9.0.0, < 9.5.51 | 9.5.51 |
typo3/cms-corePackagist | >= 10.0.0, < 10.4.50 | 10.4.50 |
typo3/cms-corePackagist | >= 11.0.0, < 11.5.44 | 11.5.44 |
typo3/cms-corePackagist | >= 12.0.0, < 12.4.31 | 12.4.31 |
typo3/cms-corePackagist | >= 13.0.0, < 13.4.12 | 13.4.12 |
Affected products
3>=9.0.0, <9.5.51 ELTS || >=10.0.0, <10.4.50 ELTS || >=11.0.0, <11.5.44 ELTS || >=12.0.0, <12.4.31 LTS || >=13.0.0, <13.4.12 LTS+ 1 more
- (no CPE)range: >=9.0.0, <9.5.51 ELTS || >=10.0.0, <10.4.50 ELTS || >=11.0.0, <11.5.44 ELTS || >=12.0.0, <12.4.31 LTS || >=13.0.0, <13.4.12 LTS
- (no CPE)range: >= 9.0.0, < 9.5.51
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-x8pv-fgxp-8v3xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-47937ghsaADVISORY
- github.com/TYPO3/typo3/security/advisories/GHSA-x8pv-fgxp-8v3xghsax_refsource_CONFIRMWEB
- typo3.org/security/advisory/typo3-core-sa-2025-011ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.