N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-59019

GHSA ID

GHSA-j8vm-7q52-2m2m

EPSS Score

0.1183%

CWE

CWE-200

Published

9/9/2025

Updated

9/9/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-59019

CVE-2025-59019: TYPO3 CSV download feature information disclosure

Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to disclose information from arbitrary database tables stored within the users' web mounts without having access to them.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-59019

GHSA ID

GHSA-j8vm-7q52-2m2m

EPSS Score

0.1183%

CWE

CWE-200

Published

9/9/2025

Updated

9/9/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
typo3/cms-backend	composer	>= 12.0.0, < 12.4.37	12.4.37
typo3/cms-backend	composer	>= 13.0.0, < 13.4.18	13.4.18
typo3/cms-recordlist	composer	>= 11.0.0, < 11.5.48	12.4.37

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The provided vulnerability details and the associated patch commit directly point to a missing authorization vulnerability in the CSV download functionality of TYPO3. The commit c983415f062c32f8edbb78544a0ff3219bc35d17 modifies the RecordListDownloadController.php file, specifically within the handleDownloadRequest function. The added code explicitly introduces a permission check ($backendUser->check('tables_select', $this->table)) that was previously absent. This confirms that the handleDownloadRequest function was the entry point for the vulnerability, as it processed the download request without proper authorization. An attacker could have exploited this by crafting a request to this controller to download data from an arbitrary table. Therefore, this function would be present in any runtime profile capturing the exploitation of this information disclosure vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Missin* *ut*oriz*tion ****ks in t** *SV *ownlo** ***tur* o* TYPO* *MS v*rsions **.*.*‑**.*.**, **.*.*‑**.*.**, *n* **.*.*‑**.*.** *llow ***k*n* us*rs to *is*los* in*orm*tion *rom *r*itr*ry **t***s* t**l*s stor** wit*in t** us*rs' w** mounts wit*out *

Reasoning

T** provi*** vuln*r**ility **t*ils *n* t** *sso*i*t** p*t** *ommit *ir**tly point to * missin* *ut*oriz*tion vuln*r**ility in t** *SV *ownlo** *un*tion*lity o* TYPO*. T** *ommit `****************************************` mo*i*i*s t** `R**or*List*ownl

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-59019: TYPO3 CSV download feature information disclosure

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI