CVE-2025-59017: 
PHP vulnerability analysis and mitigation

CVE-2025-59017 is a broken access control vulnerability discovered in TYPO3 CMS, disclosed on September 9, 2025. The vulnerability affects multiple versions of TYPO3 CMS (9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17) and allows backend users to directly invoke AJAX backend routes without having proper access to the corresponding backend modules (TYPO3 Advisory).

The vulnerability stems from missing authorization checks in the Backend Routing component of TYPO3 CMS. The AJAX routes used by TYPO3 backend modules were not protected by the same permission checks that guard the modules themselves. The vulnerability has been assigned a CVSS v4.0 base score of 5.3 (MEDIUM) with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N, and a CVSS v3.1 base score of 8.8 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-862 (Missing Authorization) (NVD).

This vulnerability allows authenticated backend users to bypass module-level restrictions and directly access AJAX routes, potentially enabling them to read, modify, or delete data without proper authorization (TYPO3 Advisory).

Organizations should update to the patched versions: TYPO3 9.5.55 ELTS, 10.4.54 ELTS, 11.5.48 ELTS, 12.4.37 LTS, or 13.4.18 LTS. The fix introduces a new AJAX route property 'inheritAccessFromModule' that explicitly binds routes to the permissions of specified backend modules. Developers are advised to verify authorization on target resources within AJAX handlers or controllers (TYPO3 Advisory).

The vulnerability was discovered and reported by TYPO3 security team member Elias Häußler, who also provided the fix (TYPO3 Advisory).