CVE-2025-59018: 
PHP vulnerability analysis and mitigation

Missing authorization checks in the Workspace Module of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke the corresponding AJAX backend route to disclose sensitive information without having proper access permissions. The vulnerability was disclosed on September 9, 2025, and has been assigned a CVSS v4.0 base score of 7.1 (HIGH) (TYPO3 Advisory).

The vulnerability stems from a broken access control issue in the TYPO3 CMS backend routing system. Specifically, dedicated AJAX routes used by TYPO3 backend modules were not protected by the same permission checks that guard the modules themselves. This security flaw is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The vulnerability has a CVSS v4.0 vector string of CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N, indicating network accessibility with low attack complexity and requiring low privileges (TYPO3 Advisory).

The vulnerability allows authenticated backend users to bypass module-level restrictions and directly access AJAX routes, potentially leading to unauthorized disclosure of sensitive information. Users could read, modify, or delete data directly, effectively circumventing the intended module-level access controls (TYPO3 Advisory).

Organizations should update to the patched versions: TYPO3 9.5.55 ELTS, 10.4.54 ELTS, 11.5.48 ELTS, 12.4.37 LTS, or 13.4.18 LTS. The fix introduces a new AJAX route property 'inheritAccessFromModule' that explicitly binds routes to the permissions of specified backend modules. Developers are advised to always verify authorization on target resources within AJAX handlers or controllers (TYPO3 Advisory).