CVE-2025-59019: 
PHP vulnerability analysis and mitigation

Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to disclose information from arbitrary database tables stored within the users' web mounts without having access to them. The vulnerability was discovered and disclosed on September 9, 2025, and is tracked as CVE-2025-59019. The issue affects the List Module component (ext:backend, ext:recordlist) of TYPO3 CMS (TYPO3 Advisory).

The vulnerability is classified as an Information Disclosure issue (CWE-200) with a CVSS v4.0 Base Score of 5.3 (Medium) and vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. The CVSS v3.1 Base Score is 4.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability exists in the CSV download feature of the backend user interface, which failed to perform proper permission checks when requesting data from database tables (TYPO3 Advisory).

The vulnerability allows backend users to access and retrieve records from database tables they should not have permission to view. However, the scope of the information disclosure is limited to database records that fall within the page tree where the user already has access permissions (TYPO3 Advisory).

Users should update to the fixed versions: TYPO3 11.5.48 ELTS, 12.4.37 LTS, or 13.4.18 LTS. The vulnerability has been addressed by implementing proper authorization checks in the CSV download feature (TYPO3 Advisory).