Moderate severityNVD Advisory· Published Sep 9, 2025· Updated Sep 9, 2025

Open Redirect in TYPO3 CMS

CVE-2025-59013

Description

An open‑redirect vulnerability in GeneralUtility::sanitizeLocalUrl of TYPO3 CMS 9.0.0–9.5.54, 10.0.0–10.4.53, 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 allows an attacker to redirect users to arbitrary external sites, enabling phishing attacks by supplying a manipulated, sanitized URL.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An open-redirect vulnerability in TYPO3 CMS's GeneralUtility::sanitizeLocalUrl allows attackers to redirect users to arbitrary external sites, enabling phishing attacks.

Vulnerability

Description

The GeneralUtility::sanitizeLocalUrl function in TYPO3 CMS is designed to validate that a given URL is local and safe for use in redirects. However, it fails to properly sanitize URLs containing certain whitespace characters (space, tab, newline, carriage return, vertical tab, null byte) [1][3]. This oversight allows an attacker to craft a URL that passes the sanitization check but, when used in a redirect header, injects a new location or breaks out of the intended local URL context.

Exploitation

An attacker can supply a manipulated URL such as //evil.site/ (with a leading space) or include newline characters to perform HTTP header smuggling [3]. The function returns the URL as valid because the whitespace is not rejected. When the application subsequently uses the sanitized URL in a Location header, the browser interprets the whitespace as a separator, enabling redirection to an arbitrary external site. The attack requires no authentication and only user interaction (e.g., clicking a crafted link) [4].

Impact

Successful exploitation results in an open redirect to any external domain. This can be leveraged for phishing attacks, where users are tricked into visiting malicious sites that appear legitimate [1][4].

Mitigation

TYPO3 has released security updates addressing this vulnerability: versions 9.5.55 ELTS, 10.4.54 ELTS, 11.5.48 ELTS, 12.4.37 LTS, and 13.4.18 LTS [4]. Users are strongly advised to update their installations immediately. The fix adds explicit checks for whitespace characters in the URL before validation [3].

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
typo3/cms-corePackagist	>= 9.0.0, < 12.4.37	12.4.37
typo3/cms-corePackagist	>= 10.0.0, < 12.4.37	12.4.37
typo3/cms-corePackagist	>= 11.0.0, < 12.4.37	12.4.37
typo3/cms-corePackagist	>= 12.0.0, < 12.4.37	12.4.37
typo3/cms-corePackagist	>= 13.0.0, < 13.4.18	13.4.18

Affected products

TYPO3/Typo3llm-fuzzy
Range: 9.0.0–9.5.54, 10.0.0–10.4.53, 11.0.0–11.5.47, 12.0.0–12.4.36, 13.0.0–13.4.17
TYPO3/TYPO3 CMSv5
Range: 9.0.0

Patches

862b9da87081

[SECURITY] Fix open redirection via GeneralUtility::sanitizeLocalUrl

https://github.com/TYPO3-CMS/coreBenjamin FranzkeSep 9, 2025via ghsa

commit

2 files changed · +10 −1

Classes/Utility/GeneralUtility.php+5 −1 modified

@@ -2551,7 +2551,7 @@ public static function copyDirectory(string $source, string $destination): void
 
     /**
      * Checks if a given string is a valid frame URL to be loaded in the
-     * backend.
+     * backend or used in redirect headers.
      *
      * If the given url is empty or considered to be harmless, it is returned
      * as is, else the event is logged and an empty string is returned.
@@ -2564,6 +2564,10 @@ public static function sanitizeLocalUrl(string $url): string
         $sanitizedUrl = '';
         if (!empty($url)) {
             $decodedUrl = rawurldecode($url);
+            if (strpbrk($decodedUrl, " \n\r\t\v\x00") !== false) {
+                static::getLogger()->notice('URL "{url}" contains unexpected whitespace and was denied as local url.', ['url' => $url]);
+                return '';
+            }
             $parsedUrl = parse_url($decodedUrl);
             // Pass if URL is on the current host:
             if (self::isValidUrl($decodedUrl)) {

Tests/Unit/Utility/GeneralUtilityTest.php+5 −0 modified

@@ -1447,6 +1447,11 @@ public static function sanitizeLocalUrlInvalidDataProvider(): array
             'invalid URL, UNC path' => ['\\\\foo\\bar\\'],
             'invalid URL, HTML break out attempt' => ['" >blabuubb'],
             'base64 encoded string' => ['data:%20text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4='],
+            'relative URL with location header injection via leading space' => [' //evil.site/'],
+            'relative URL with location header injection via leading horizontal tab' => ["\t" . '//evil.site/'],
+            'relative URL with location header injection attempt (not known to work) via vertical white space' => ["\v" . '//evil.site/'],
+            'HTTP header smuggling attempt' => ["/\r\nX-Injected: evil"],
+            'null-byte break out attempt' => ["http\x00://www.google.de"],
         ];
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-72jf-5fg5-3cw3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-59013ghsaADVISORY
typo3.org/security/advisory/typo3-core-sa-2025-017ghsavendor-advisoryWEB
github.com/TYPO3-CMS/core/commit/862b9da870815132c31119cd85bc454a5010793cghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000