CVE-2025-47937: 
PHP vulnerability analysis and mitigation

TYPO3, an open source PHP-based web content management system, was found to contain a vulnerability (CVE-2025-47937) affecting versions from 9.0.0 through versions prior to 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS. The vulnerability was disclosed on May 20, 2025, and involves improper authorization in the database abstraction layer (DBAL) (TYPO3 Advisory, GitHub Advisory).

The vulnerability stems from a flaw in the database abstraction layer (DBAL) where frontend user permissions are only applied via FrontendGroupRestriction to the first table when performing database queries involving multiple tables. This implementation weakness is classified as CWE-863 (Incorrect Authorization). The vulnerability has been assigned a CVSS v3.1 base score of 3.7 (Low) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with high attack complexity and no required privileges or user interaction (GitHub Advisory).

The vulnerability can lead to information disclosure where data from additional tables included in the same query may be unintentionally exposed to unauthorized users. This creates a potential security risk where sensitive information could be accessed by users who should not have permission to view it (TYPO3 Advisory).

The recommended mitigation is to update to the patched versions: TYPO3 version 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS. These versions contain the necessary fixes to address the DBAL restriction handling issue (TYPO3 Advisory).