CVE-2025-48201: 
PHP vulnerability analysis and mitigation

The ns_backup extension through version 13.0.0 for TYPO3 contains a Predictable Resource Location vulnerability. The vulnerability was discovered in May 2025 and was assigned CVE-2025-48201. The affected component is the 'Backup Plus' (ns_backup) extension, which is a third-party extension not included in TYPO3's default installation (TYPO3 Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 8.6 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N. The issue stems from a Predictable Resource Location vulnerability (CWE-425) that allows access to backup and configuration files. The extension fails to properly secure the location where backup and configuration files are stored (TYPO3 Advisory, Wiz Analysis).

The vulnerability allows unauthenticated remote users to download created backups and configuration files due to the predictable resource location. This could potentially expose sensitive system information and configurations stored in the backup files (TYPO3 Advisory).

The vulnerability has been fixed in version 13.0.1 of the ns_backup extension. Users are advised to update to this version as soon as possible. The TYPO3 Security Team recommends downloading and removing all previously created backup files to address the Predictable Resource Location vulnerability. Additionally, users should configure a non-public accessible directory as the target folder for backups (TYPO3 Advisory).