GHSA-5h5v-m596-r6rf: TYPO3 Possible Insecure Deserialization in Extbase Request Handling
8.1
CVSS Score
3.1
Basic Information
CVE ID
-
GHSA ID
EPSS Score
-
CWE
Published
5/30/2024
Updated
5/30/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| typo3/cms-core | composer | >= 8.0.0, < 8.7.30 | 8.7.30 |
| typo3/cms-core | composer | >= 9.0.0, < 9.5.12 | 9.5.12 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from Extbase's request handling mechanism where user-submitted payloads are deserialized after HMAC verification. The RequestBuilder::build method is responsible for constructing the request object and processing parameters. Since the deserialization occurs after HMAC validation (which depends on the encryptionKey), a compromised key allows attackers to sign malicious payloads and trigger unsafe deserialization via PHP's unserialize() function. This matches the CWE-502 pattern where trusted validation (HMAC) becomes ineffective due to secret leakage.