CVE-2025-59016 | THREATINT

Description

Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17 allow backend users to disclose full file paths via failed low-level file-system operations.

PUBLISHED Reserved 2025-09-07 | Published 2025-09-09 | Updated 2025-09-09 | Assigner TYPO3

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-209 Generation of Error Message Containing Sensitive Information

Product status

Default status

unaffected

9.0.0 (semver) before 9.5.55

affected

10.0.0 (semver) before 10.4.54

affected

11.0.0 (semver) before 11.5.48

affected

12.0.0 (semver) before 12.4.37

affected

13.0.0 (semver) before 13.4.18

affected

Credits

Dmitry Petschke reporter

Marc Willmann reporter

Andreas Kienast remediation developer

References

typo3.org/security/advisory/typo3-core-sa-2025-020 vendor-advisory

cve.org (CVE-2025-59016)

nvd.nist.gov (CVE-2025-59016)

Download JSON