CVE-2025-48205: 
PHP vulnerability analysis and mitigation

The srfeuserregister extension through version 12.4.8 for TYPO3 contains multiple critical vulnerabilities, including Remote Code Execution (RCE) and Insecure Direct Object Reference (IDOR). The vulnerability was discovered in May 2025 and affects the Front End User Registration extension, which is a third-party component not included in the default TYPO3 installation (TYPO3 Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 8.6 HIGH with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N. The issue stems from two main problems: First, the extension allows the exchange of serialized file object representations without proper validation, enabling arbitrary serialized PHP object injection that could lead to RCE. Second, the extension fails to verify file identifier authorization for downloads, allowing unauthorized file access (TYPO3 Advisory, Wiz).

The vulnerabilities allow attackers to potentially execute arbitrary code on the server through the RCE vulnerability and access unauthorized files through the IDOR vulnerability. This combination of vulnerabilities presents a critical security risk to affected systems, potentially exposing sensitive data and allowing system compromise (TYPO3 Advisory, Wiz).

An updated version 12.5.0 has been released to address these vulnerabilities. Users are strongly advised to update the extension as soon as possible. The update is available through the TYPO3 extension manager, packagist, and can be downloaded directly from the TYPO3 extension repository (TYPO3 Advisory).