CVE-2025-47941: 
PHP vulnerability analysis and mitigation

TYPO3, an open source PHP-based web content management system, was found to contain a significant authentication vulnerability (CVE-2025-47941) discovered and disclosed on May 20, 2025. The vulnerability affects versions on the 12.x branch prior to 12.4.31 LTS and the 13.x branch prior to 13.4.2 LTS, allowing attackers to bypass the multifactor authentication (MFA) dialog during backend login (TYPO3 Advisory, GitHub Advisory).

The vulnerability is classified as a broken authentication issue (CWE-288) with a CVSS v3.1 base score of 7.2 (High). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring high privileges (PR:H) but no user interaction (UI:N). The scope is unchanged (S:U) with high impact on confidentiality, integrity, and availability (C:H/I:H/A:H) (GitHub Advisory).

The vulnerability allows attackers to bypass the multifactor authentication mechanism in TYPO3's backend, potentially gaining unauthorized access to administrative functions. While the impact is significant, it's important to note that successful exploitation requires valid backend user credentials, as the MFA bypass only works after initial authentication (TYPO3 Advisory).

Users are strongly advised to update to TYPO3 version 12.4.31 LTS or 13.4.12 LTS to address this vulnerability. These patched versions implement proper enforcement of access restrictions on backend routes, effectively preventing the MFA bypass (TYPO3 Advisory).

The vulnerability was responsibly disclosed and addressed through the collaborative efforts of security researchers Jens Jacobsen and Y. Kahveci, who reported the issue, and TYPO3 security team member Torben Hansen, who implemented the fix (TYPO3 Advisory).