CVE-2025-59019: TYPO3 CSV download feature information disclosure

September 9, 2025

Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to disclose information from arbitrary database tables stored within the users’ web mounts without having access to them.

References

github.com/TYPO3-CMS/backend/commit/c983415f062c32f8edbb78544a0ff3219bc35d17
github.com/advisories/GHSA-j8vm-7q52-2m2m
nvd.nist.gov/vuln/detail/CVE-2025-59019
typo3.org/security/advisory/typo3-core-sa-2025-023

Code Behaviors & Features

Detect and mitigate CVE-2025-59019 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →