N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-59013

CVE-2025-59013: TYPO3 CMS has an open‑redirect vulnerability

An open‑redirect vulnerability in GeneralUtility::sanitizeLocalUrl of TYPO3 CMS 9.0.0–9.5.54, 10.0.0–10.4.53, 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 allows an attacker to redirect users to arbitrary external sites, enabling phishing attacks by supplying a manipulated, sanitized URL.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-59013

CVE-2025-59013:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
typo3/cms-core	composer	>= 9.0.0, < 9.5.55	12.4.37
typo3/cms-core	composer	>= 10.0.0, < 10.4.54	12.4.37
typo3/cms-core	composer	>= 11.0.0, < 11.5.48	12.4.37
typo3/cms-core	composer	>= 12.0.0, < 12.4.37	12.4.37
typo3/cms-core	composer	>= 13.0.0, < 13.4.18	13.4.18

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description directly points to GeneralUtility::sanitizeLocalUrl as the source of the open-redirect vulnerability. The provided commit 862b9da870815132c31119cd85bc454a5010793c is explicitly a security fix for this issue. Analyzing the diff for Classes/Utility/GeneralUtility.php shows that the sanitizeLocalUrl function was modified to add validation against URLs containing whitespace or null-byte characters. This is a direct mitigation for open-redirect attacks where attackers use such characters to fool the URL parser. The added test cases in Tests/Unit/Utility/GeneralUtilityTest.php also confirm the exploit vectors that are now being checked for, such as //evil.site/ and /\r\nX-Injected: evil. Therefore, the TYPO3\CMS\Core\Utility\GeneralUtility::sanitizeLocalUrl function is the identified vulnerable function that would be present in a runtime profile during an exploit.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-59013: TYPO3 CMS has an open‑redirect vulnerability

CVE-2025-59013:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-59013: TYPO3 CMS has an open‑redirect vulnerability

N/A

N/A

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI