CVE-2024-55892: 
PHP vulnerability analysis and mitigation

TYPO3 is a free and open source Content Management Framework affected by a vulnerability (CVE-2024-55892) discovered in January 2025. The vulnerability affects applications that use TYPO3\CMS\Core\Http\Uri to parse externally provided URLs, potentially leading to open redirect or SSRF attacks. The affected versions include TYPO3 9.0.0-9.5.48, 10.0.0-10.4.47, 11.0.0-11.5.41, 12.0.0-12.4.24, and 13.0.0-13.4.2 (GitHub Advisory, TYPO3 Advisory).

The vulnerability occurs when applications use the TYPO3\CMS\Core\Http\Uri component to parse externally provided URLs, such as those received via query parameters. The issue arises when validating the host of the parsed URL, as the validation checks can be bypassed if the URL is used after the validation process. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating network accessibility with high attack complexity (GitHub Advisory).

The vulnerability can lead to open redirect attacks or Server-Side Request Forgery (SSRF) attacks. These attacks could potentially compromise the security of the application by redirecting users to malicious websites or making unauthorized server requests (GitHub Advisory).

Users are advised to update to the patched versions: TYPO3 9.5.49 ELTS, 10.4.48 ELTS, 11.5.42 LTS, 12.4.25 LTS, or 13.4.3 which contain fixes for this vulnerability. No alternative workarounds have been provided (GitHub Advisory, TYPO3 Advisory).

The vulnerability was responsibly disclosed and fixed with the collaboration of security researchers Sam Mush and Christian Eßl, who reported the issue, and TYPO3 core & security team member Benjamin Franzke, who implemented the fix (TYPO3 Advisory).