CVE-2025-57756: Contao discloses sensitive information in the front end search index
5.3
Basic Information
Technical Details
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| contao/core-bundle | composer | >= 4.9.14, < 4.13.56 | 4.13.56 |
| contao/contao | composer | >= 4.9.14, < 4.13.56 | 4.13.56 |
| contao/core-bundle | composer | >= 5.0.0-RC1, < 5.3.38 | 5.3.38 |
| contao/core-bundle | composer | >= 5.4.0-RC1, < 5.6.1 | 5.6.1 |
| contao/contao | composer | >= 5.0.0-RC1, < 5.3.38 | 5.3.38 |
| contao/contao | composer | >= 5.4.0-RC1, < 5.6.1 | 5.6.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability lies in the incorrect implementation of protection checks within the Contao core bundle. Specifically, the getFrontendModule and getContentElement functions in Contao\Controller were using the wrong object variables ($objModule and $objElement respectively) to verify if a module or content element was marked as protected. The patch corrects this by using the $objRow object, which accurately reflects the protection status. As a result of this flaw, content that was intended to be restricted was instead being indexed by the search system, making it accessible to unauthorized users through the front-end search interface. The identified functions are directly responsible for this information leak as they contain the flawed conditional logic that was bypassed.