CVE-2025-59016: TYPO3 CMS exposes sensitive information in an error message

September 9, 2025 (updated November 10, 2025)

Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17 allow backend users to disclose full file paths via failed low-level file-system operations.

References

github.com/TYPO3-CMS/core
github.com/TYPO3-CMS/core/commit/e1e4380a2d8e72228c597403f0463c21d6e1b8d9
github.com/advisories/GHSA-cvm2-5f78-g9m8
nvd.nist.gov/vuln/detail/CVE-2025-59016
typo3.org/security/advisory/typo3-core-sa-2025-020

Code Behaviors & Features

Detect and mitigate CVE-2025-59016 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →