Moderate severityNVD Advisory· Published Sep 9, 2025· Updated Sep 9, 2025

Denial of Service in TYPO3 Bookmark Toolbar

CVE-2025-59014

Description

An uncaught exception in the Bookmark Toolbar of TYPO3 CMS versions 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 lets administrator‑level backend users trigger a denial‑of‑service condition in the backend user interface by saving manipulated data in the bookmark toolbar.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TYPO3 CMS bookmark toolbar uncaught exception allows admin-level backend users to cause denial of service via manipulated data.

Vulnerability

Description

An uncaught exception in the Bookmark Toolbar (ext:backend) of TYPO3 CMS allows an authenticated administrator-level backend user to trigger a denial-of-service condition in the backend user interface. The root cause is insufficient input validation when saving data in the bookmark toolbar, leading to an unhandled exception that blocks further access to the interface [4].

Exploitation

Prerequisites

Exploitation requires an active backend session with administrator-level privileges. The attacker saves specially crafted, manipulated data in the bookmark toolbar, which the application fails to properly validate before processing. The vulnerability exists in TYPO3 CMS versions 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 [1][4].

Impact

A successful attack results in a persistent denial-of-service condition affecting the backend user interface of the affected TYPO3 instance. Only administrator-level users can exploit this vulnerability, but once triggered, it can disrupt backend operations for all users until the malformed bookmark data is removed or the system is otherwise remediated [4].

Mitigation

The vulnerability is fixed in TYPO3 versions 11.5.48 ELTS, 12.4.37 LTS, and 13.4.18 LTS [4]. Administrators should update their installations to these patched versions as soon as possible. The fix properly catches FAL exceptions in the ShortcutRepository to gracefully handle malformed input data [2].

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
typo3/cms-backendPackagist	>= 11.0.0, < 12.4.37	12.4.37
typo3/cms-backendPackagist	>= 12.0.0, < 12.4.37	12.4.37
typo3/cms-backendPackagist	>= 13.0.0, < 13.4.18	13.4.18

Affected products

TYPO3/Typo3llm-fuzzy
Range: 11.0.0-11.5.47, 12.0.0-12.4.36, 13.0.0-13.4.17
TYPO3/TYPO3 CMSv5
Range: 11.0.0

Patches

04db7e25de1d

[SECURITY] Properly catch FAL exceptions in ShortcutRepository

https://github.com/TYPO3-CMS/backendOliver HaderSep 9, 2025via ghsa

commit

2 files changed · +59 −7

Classes/Backend/Shortcut/ShortcutRepository.php+9 −0 modified

@@ -17,6 +17,7 @@
 
 namespace TYPO3\CMS\Backend\Backend\Shortcut;
 
+use Psr\Log\LoggerInterface;
 use Symfony\Component\DependencyInjection\Attribute\Autoconfigure;
 use TYPO3\CMS\Backend\Module\ModuleProvider;
 use TYPO3\CMS\Backend\Routing\Router;
@@ -59,6 +60,7 @@ public function __construct(
         protected readonly ModuleProvider $moduleProvider,
         protected readonly Router $router,
         protected readonly UriBuilder $uriBuilder,
+        protected readonly LoggerInterface $logger,
     ) {
         $this->shortcutGroups = $this->initShortcutGroups();
         $this->shortcuts = $this->initShortcuts();
@@ -444,6 +446,13 @@ protected function initShortcuts(): array
                     } catch (FolderDoesNotExistException $e) {
                         // Folder does not longer exists. However, the shortcut
                         // is still displayed, allowing the user to remove it.
+                    } catch (\Throwable $e) {
+                        // Catch any other error or exception to avoid blocking this component
+                        $this->logger->error('Failed to resolve folder identifier "{folder}" in backend user shortcut: {message}', [
+                            'folder' => $folderIdentifier,
+                            'message' => $e->getMessage(),
+                        ]);
+                        continue;
                     }
                 }
             } else {

Tests/Functional/Backend/Shortcut/ShortcutRepositoryTest.php+50 −7 modified

@@ -27,13 +27,16 @@
 use TYPO3\CMS\Core\Http\ServerRequest;
 use TYPO3\CMS\Core\Imaging\IconFactory;
 use TYPO3\CMS\Core\Localization\LanguageServiceFactory;
+use TYPO3\CMS\Core\Log\LogManager;
 use TYPO3\CMS\Core\Routing\RequestContextFactory;
 use TYPO3\TestingFramework\Core\Functional\FunctionalTestCase;
 
 final class ShortcutRepositoryTest extends FunctionalTestCase
 {
     protected ShortcutRepository $subject;
 
+    protected array $coreExtensionsToLoad = ['filelist'];
+
     protected function setUp(): void
     {
         parent::setUp();
@@ -46,13 +49,7 @@ protected function setUp(): void
         $requestContextFactory = $this->get(RequestContextFactory::class);
         $uriBuilder = $this->get(UriBuilder::class);
         $uriBuilder->setRequestContext($requestContextFactory->fromBackendRequest($request));
-        $this->subject = new ShortcutRepository(
-            $this->get(ConnectionPool::class),
-            $this->get(IconFactory::class),
-            $this->get(ModuleProvider::class),
-            $this->get(Router::class),
-            $this->get(UriBuilder::class),
-        );
+        $this->subject = $this->createShortcutRepository();
     }
 
     #[DataProvider('shortcutExistsTestDataProvider')]
@@ -186,4 +183,50 @@ public function getShortcutsByGroupTest(): void
             self::assertStringMatchesFormat($expected[$id]['href'], $shortcut['href']);
         }
     }
+
+    public static function invalidShortcutArgumentsAreIgnoredDataProvider(): \Generator
+    {
+        yield 'record_edit invalid JSON' => [
+            'record_edit',
+            '$INVALID/JSON$',
+        ];
+        yield 'record_edit invalid edit data' => [
+            'record_edit',
+            json_encode(['edit' => [9, 8, 7]]),
+        ];
+        yield 'record_edit incomplete edit data' => [
+            'record_edit',
+            json_encode(['edit' => ['invalid' => ['987' => 'edit']]]),
+        ];
+        yield 'media_management invalid path' => [
+            'media_management',
+            json_encode(['id' => '1:any/../../thing']),
+        ];
+        yield 'media_management non-existing path' => [
+            'media_management',
+            json_encode(['id' => '1:any/thing']),
+        ];
+    }
+
+    #[Test]
+    #[DataProvider('invalidShortcutArgumentsAreIgnoredDataProvider')]
+    public function invalidShortcutArgumentsAreIgnored($routIdentifier, string $arguments): void
+    {
+        $this->expectNotToPerformAssertions();
+        $this->subject->addShortcut($routIdentifier, $arguments, 'Test');
+        // create new instance to trigger initialization in constructor
+        $this->createShortcutRepository();
+    }
+
+    private function createShortcutRepository(): ShortcutRepository
+    {
+        return new ShortcutRepository(
+            $this->get(ConnectionPool::class),
+            $this->get(IconFactory::class),
+            $this->get(ModuleProvider::class),
+            $this->get(Router::class),
+            $this->get(UriBuilder::class),
+            $this->get(LogManager::class)->getLogger(ShortcutRepository::class),
+        );
+    }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-xrcq-533q-8rxwghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-59014ghsaADVISORY
typo3.org/security/advisory/typo3-core-sa-2025-018ghsavendor-advisoryWEB
github.com/TYPO3-CMS/backend/commit/04db7e25de1d3bb2d082ba68f7f974ccd917cc3fghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000