Miggo Logo
Miggo Vulnerability Database
CVE-2025-59017

CVE-2025-59017: TYPO3 backend modules have Broken Access Control

N/A

CVSS Score

Basic Information

CVE ID
CVE-2025-59017
GHSA ID
GHSA-2fhw-2j7m-mr4m
EPSS Score
0.10411%
CWE
CWE-862
Published
9/9/2025
Updated
9/9/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
typo3/cms-workspacescomposer>= 9.0.0, < 9.5.5512.4.37
typo3/cms-workspacescomposer>= 10.0.0, < 10.4.5412.4.37
typo3/cms-workspacescomposer>= 11.0.0, < 11.5.4812.4.37
typo3/cms-workspacescomposer>= 12.0.0, < 12.4.3712.4.37
typo3/cms-workspacescomposer>= 13.0.0, < 13.4.1813.4.18
typo3/cms-recyclercomposer>= 9.0.0, < 9.5.5512.4.37
typo3/cms-recyclercomposer>= 10.0.0, < 10.4.5412.4.37
typo3/cms-recyclercomposer>= 11.0.0, < 11.5.4812.4.37
typo3/cms-recyclercomposer>= 12.0.0, < 12.4.3712.4.37
typo3/cms-recyclercomposer>= 13.0.0, < 13.4.1813.4.18
typo3/cms-dashboardcomposer>= 10.0.0, < 10.4.5412.4.37
typo3/cms-dashboardcomposer>= 11.0.0, < 11.5.4812.4.37
typo3/cms-dashboardcomposer>= 12.0.0, < 12.4.3712.4.37
typo3/cms-dashboardcomposer>= 13.0.0, < 13.4.1813.4.18
typo3/cms-beusercomposer>= 13.0.0, < 13.4.1813.4.18
typo3/cms-beusercomposer>= 12.0.0, < 12.4.3712.4.37
typo3/cms-beusercomposer>= 11.0.0, < 11.5.4812.4.37
typo3/cms-beusercomposer>= 10.0.0, < 10.4.5412.4.37
typo3/cms-beusercomposer>= 9.0.0, < 9.5.5512.4.37
typo3/cms-backendcomposer>= 9.0.0, < 9.5.5512.4.37
typo3/cms-backendcomposer>= 10.0.0, < 10.4.5412.4.37
typo3/cms-backendcomposer>= 11.0.0, < 11.5.4812.4.37
typo3/cms-backendcomposer>= 12.0.0, < 12.4.3712.4.37
typo3/cms-backendcomposer>= 13.0.0, < 13.4.1813.4.18

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a Broken Access Control issue in TYPO3's backend. Authenticated backend users could call AJAX routes directly, even if they did not have the necessary permissions for the backend module associated with that route. The root cause was the TYPO3\CMS\Backend\Middleware\BackendModuleValidator::process middleware, which failed to perform authorization checks for these AJAX routes.

The security patches address this by introducing a new option, inheritAccessFromModule, for AJAX route configurations. This option links an AJAX route to a specific backend module. The BackendModuleValidator was updated to check this option and deny access if the user does not have permissions for the specified module, returning a 403 Forbidden status.

The analysis of the commits shows this pattern being applied across multiple components (typo3/cms-backend, typo3/cms-beuser, typo3/cms-dashboard, typo3/cms-recycler, typo3/cms-workspaces). The target property of the modified routes points directly to the controller methods that were vulnerable. These methods, which handle actions like renaming resources, managing dashboards, and handling localizations, would appear in a runtime profile or stack trace during exploitation. The identified functions are the direct entry points for the unauthorized actions.

Vulnerable functions

TYPO3\CMS\Backend\Middleware\BackendModuleValidator::process
Classes/Middleware/BackendModuleValidator.php
This middleware function is responsible for validating access to backend modules. The vulnerability existed because this function did not perform an authorization check for AJAX routes that were tied to a specific backend module, allowing any authenticated backend user to access them.
TYPO3\CMS\Backend\Controller\Resource\ResourceController::renameResourceAction
Configuration/Backend/AjaxRoutes.php
This function, responsible for renaming resources, was accessible to any authenticated backend user via an AJAX call, regardless of whether they had access to the 'media_management' module.
TYPO3\CMS\Backend\Controller\File\FileController::processAjaxRequest
Configuration/Backend/AjaxRoutes.php
This function, which processes file-related AJAX requests, was accessible to any authenticated backend user, bypassing the module permissions for 'media_management'.
TYPO3\CMS\Backend\Controller\Page\LocalizationController::localizeRecords
Configuration/Backend/AjaxRoutes.php
This function for localizing records could be triggered by any authenticated backend user, even if they did not have access to the 'web_layout' module where this functionality is intended to be used.
TYPO3\CMS\Beuser\Controller\PermissionController::handleAjaxRequest
Configuration/Backend/AjaxRoutes.php
This function handles AJAX requests related to user permissions and was accessible to backend users without the necessary permissions for the 'permissions_pages' module.
TYPO3\CMS\Dashboard\Controller\DashboardAjaxController::updateDashboard
Configuration/Backend/AjaxRoutes.php
This function for updating dashboards could be called by any authenticated backend user, bypassing the authorization check for the 'dashboard' module.
TYPO3\CMS\Recycler\Controller\RecyclerAjaxController::dispatch
Configuration/Backend/AjaxRoutes.php
The dispatcher for the recycler's AJAX functionality was exposed to all authenticated backend users, not just those with access to the 'recycler' module.
TYPO3\CMS\Workspaces\Controller\WorkspacesAjaxController::dispatch
Configuration/Backend/AjaxRoutes.php
The dispatcher for the workspaces AJAX functionality was exposed to all authenticated backend users, not just those with access to the 'workspaces_admin' module.

WAF Protection Rules

WAF Rule

Missin* *ut*oriz*tion ****ks in t** ***k*n* Routin* o* TYPO* *MS v*rsions *.*.*‑*.*.**, **.*.*‑**.*.**, **.*.*‑**.*.**, **.*.*‑**.*.**, *n* **.*.*‑**.*.** *llow ***k*n* us*rs to *ir**tly invok* *J*X ***k*n* rout*s wit*out **vin* ****ss to t** *orr*sp

Reasoning

T** vuln*r**ility is * *rok*n ****ss *ontrol issu* in TYPO*'s ***k*n*. *ut**nti**t** ***k*n* us*rs *oul* **ll *J*X rout*s *ir**tly, *v*n i* t**y *i* not **v* t** n***ss*ry p*rmissions *or t** ***k*n* mo*ul* *sso*i*t** wit* t**t rout*. T** root **us*