CVE-2025-59017: 
PHP vulnerability analysis and mitigation

CVE-2025-59017 is a security vulnerability discovered in TYPO3 CMS affecting versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17. The vulnerability was disclosed on September 9, 2025, and involves missing authorization checks in the Backend Routing component that allow backend users to directly invoke AJAX backend routes without having proper access to the corresponding backend modules (TYPO3 Advisory).

The vulnerability is classified as a Broken Access Control issue (CWE-862) where AJAX routes used by TYPO3 backend modules lacked proper permission validation. The vulnerability has been assigned a CVSS v4.0 base score of 5.3 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N, indicating that it requires network access and low privileges to exploit (TYPO3 Advisory).

The vulnerability allows authenticated backend users to bypass module-level restrictions and directly access AJAX routes they shouldn't have permission to use. This could result in unauthorized users being able to read, modify, or delete data by circumventing the intended module-level access controls (TYPO3 Advisory).

TYPO3 has released patched versions 9.5.55 ELTS, 10.4.54 ELTS, 11.5.48 ELTS, 12.4.37 LTS, and 13.4.18 LTS to address this vulnerability. The fix introduces a new AJAX route property 'inheritAccessFromModule' that explicitly binds routes to the permissions of specified backend modules. Developers are advised to verify authorization on target resources within AJAX handlers or controllers (TYPO3 Advisory).