CVE-2025-47936: 
PHP vulnerability analysis and mitigation

TYPO3, an open source PHP-based web content management system, was found to contain a Server-Side Request Forgery (SSRF) vulnerability (CVE-2025-47936) in its Webhooks functionality. The vulnerability affects versions on the 12.x branch prior to 12.4.31 LTS and the 13.x branch prior to 13.4.2 LTS. The issue was discovered by the National Cyber Security Center (NCSC) of Switzerland and disclosed on May 20, 2025 (TYPO3 Advisory, GitHub Advisory).

The vulnerability has been classified as CWE-918 (Server-Side Request Forgery) and received a CVSS v3.1 base score of 3.3 (Low) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L. The scoring reflects that while the attack vector is network-accessible, it requires high attack complexity and high privileges to exploit (GitHub Advisory).

The vulnerability could allow attackers to target internal resources, such as localhost or other services on the local network, potentially enabling them to blindly access systems that would otherwise be inaccessible. However, the impact is somewhat limited as an administrator-level backend user account is required to exploit this vulnerability (TYPO3 Advisory).

The vulnerability has been patched in TYPO3 versions 12.4.31 LTS and 13.4.12 LTS. Additionally, administrators are recommended to explicitly configure access restrictions by setting up an allowlist in $GLOBALS['TYPO3_CONF_VARS']['HTTP']['allowed_hosts']['webhooks']. If the allowlist is not defined or set to null, all requests will be allowed; if set to an empty array, all requests will be blocked. By default, the factory setting allows all requests to prevent existing webhooks from failing after upgrading (TYPO3 Advisory).