CVE-2025-57756
BaseFortify
Publication date: 2025-08-28
Last updated on: 2025-09-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| contao | contao | From 4.9.0 (inc) to 4.9.14 (inc) |
| contao | contao | From 4.10.0 (inc) to 4.13.56 (exc) |
| contao | contao | From 5.0.0 (inc) to 5.3.38 (exc) |
| contao | contao | From 5.4.0 (inc) to 5.6.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-612 | The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-57756 is an information disclosure vulnerability in the Contao CMS where protected content elements that are rendered as fragments are improperly indexed by the front end search feature. This causes these protected contents to become publicly accessible through the search, even though they should remain restricted. The issue affects multiple versions of Contao prior to patched releases and can be mitigated by upgrading or disabling the front end search. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive or protected content on your website, as the front end search index exposes content that should remain private. This means that anyone using the search feature can access information that was intended to be restricted, potentially leading to data leaks or exposure of confidential information. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability can negatively impact compliance with data protection regulations such as GDPR and HIPAA because it allows unauthorized access to protected or sensitive information. Exposure of such data through the front end search could constitute a breach of confidentiality requirements mandated by these standards, potentially leading to legal and regulatory consequences. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if protected content elements are being indexed and publicly accessible through the front end search feature of Contao CMS. Since the issue involves protected content fragments appearing in search results, you can test the front end search functionality for exposure of sensitive or protected content. There are no specific commands provided in the resources, but a practical approach is to perform searches on the front end of the affected Contao site to see if protected content appears. Additionally, reviewing the Contao version installed can help identify if it is within the vulnerable range (4.9.14 up to 4.13.55, 5.3 up to 5.3.37, or 5.6 up to 5.6.0). [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Contao CMS to the patched versions 4.13.56, 5.3.38, or 5.6.1, which fix the issue by preventing protected content fragments from being indexed. If upgrading immediately is not possible, a recommended workaround is to disable the front end search feature to prevent protected content from being exposed through search results. [1, 2]