CVE-2025-59016: 
PHP vulnerability analysis and mitigation

Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17 allow backend users to disclose full file paths via failed low-level file-system operations. The vulnerability was discovered and disclosed on September 9, 2025, and is tracked as CVE-2025-59016 (TYPO3 Advisory).

The vulnerability is classified as an Information Disclosure issue (CWE-209) in the File Abstraction Layer component of TYPO3 CMS. It has received a CVSS v4.0 base score of 5.3 (Medium) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N, and a CVSS v3.1 base score of 4.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (NVD).

When specific low-level file-system operations fail during execution through the File Abstraction Layer, the full path of the affected resource is disclosed. The impact is limited as it requires a valid backend user account to exploit (TYPO3 Advisory).

Users should update to the fixed versions: TYPO3 9.5.55 ELTS, 10.4.54 ELTS, 11.5.48 ELTS, 12.4.37 LTS, or 13.4.18 LTS. The vulnerability was fixed by TYPO3 core team member Andreas Kienast (TYPO3 Advisory).