CVE-2025-59018: TYPO3 Workspaces Module Information Disclosure

September 9, 2025

Missing authorization checks in the Workspace Module of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke the corresponding AJAX backend route to disclose sensitive information without having access.

References

github.com/TYPO3-CMS/workspaces
github.com/TYPO3-CMS/workspaces/commit/114c189c7b30181cee96d176e31f212b02d14d4d
github.com/advisories/GHSA-w2pf-7q5w-2cgw
nvd.nist.gov/vuln/detail/CVE-2025-59018
typo3.org/security/advisory/typo3-core-sa-2025-022

Code Behaviors & Features

Detect and mitigate CVE-2025-59018 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →