CVE-2025-47939: 
PHP vulnerability analysis and mitigation

TYPO3, an open source PHP-based web content management system, disclosed a security vulnerability (CVE-2025-47939) on May 20, 2025. The vulnerability affects versions 9.0.0 through 13.4.11, specifically in the file management module of TYPO3's backend user interface. The issue has been assigned a CVSS v3.1 base score of 5.4 (Medium) (GitHub Advisory, TYPO3 Advisory).

The vulnerability stems from the file management module's design which historically allowed the upload of any file type, except those directly executable in a web server context. This security misconfiguration enables the upload of potentially harmful files, such as executable binaries (.exe files) or files with inconsistent file extensions and MIME types, such as files with a .png extension but actually carrying the MIME type application/zip. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-351 (Insufficient Type Distinction) (GitHub Advisory).

While uploaded files are not directly executable through the web server, their presence can introduce indirect risks. Third-party services such as antivirus scanners or malware detection systems might flag or block access to the website if suspicious files are found, potentially affecting the site's availability and reputation (TYPO3 Advisory).

The vulnerability has been fixed in TYPO3 versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS. The fixes introduce new configuration options including $GLOBALS['TYPO3_CONF_VARS']['SYS']['miscfile_ext'] for defining permitted file extensions, and two security feature flags: security.system.enforceAllowedFileExtensions and security.system.enforceFileExtensionMimeTypeConsistency. It is recommended to configure allowed file extensions and enable the enforceAllowedFileExtensions flag (TYPO3 Advisory).