CVE-2025-47937: TYPO3 Allows Information Disclosure via DBAL Restriction Handling

May 20, 2025

Problem

When performing a database query involving multiple tables through the database abstraction layer (DBAL), frontend user permissions are only applied via FrontendGroupRestriction to the last table. As a result, data from additional tables included in the same query may be unintentionally exposed to unauthorized users.

Solution

Update to TYPO3 versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, 13.4.12 LTS that fix the problem described.

Credits

Thanks to Christian Futterlieb for reporting this issue, and to TYPO3 security team member Elias Häußler for fixing it.

References

github.com/TYPO3-CMS/core
github.com/TYPO3/typo3/security/advisories/GHSA-x8pv-fgxp-8v3x
github.com/advisories/GHSA-x8pv-fgxp-8v3x
nvd.nist.gov/vuln/detail/CVE-2025-47937
typo3.org/security/advisory/typo3-core-sa-2025-011

Code Behaviors & Features

Detect and mitigate CVE-2025-47937 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →