CVE-2025-59021
Unknown Unknown - Not Provided
Improper Access Control in TYPO3 Redirects Enables Phishing

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: TYPO3

Description
Backend users with access to the redirects module and write permission on the sys_redirect table were able to read, create, and modify any redirect record without restriction to the user’s own file-mounts or web-mounts. This allowed attackers to insert or alter redirects pointing to arbitrary URLs – facilitating phishing or other malicious redirect attacks. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59021
EUVD
EUVD-2026-2089
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
typo3 typo3_cms From 10.0.0 (inc) to 10.4.54 (inc)
typo3 typo3_cms From 11.0.0 (inc) to 11.5.48 (inc)
typo3 typo3_cms From 12.0.0 (inc) to 12.4.40 (inc)
typo3 typo3_cms From 13.0.0 (inc) to 13.4.22 (inc)
typo3 typo3_cms From 14.0.0 (inc) to 14.0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-59021 is a broken access control vulnerability in the TYPO3 CMS Redirects module. Backend users who have access to the redirects module and write permissions on the sys_redirect table could read, create, and modify any redirect record without restrictions tied to their assigned file-mounts or web-mounts. This flaw allowed attackers to insert or alter redirects pointing to arbitrary URLs, which could be used to facilitate phishing or other malicious redirect attacks. [1]

Impact Analysis

This vulnerability can allow attackers with backend access to create or modify redirect records to point to arbitrary URLs. This can be exploited to perform phishing attacks or redirect users to malicious websites, potentially compromising user security and trust. Unauthorized modification of redirects can also lead to privilege escalation or unauthorized access to resources by bypassing intended access controls. [1]

Detection Guidance

This vulnerability can be detected by checking if backend users have unauthorized access to the redirects module and write permissions on the sys_redirect table, allowing them to read, create, or modify redirect records beyond their assigned file-mounts or web-mounts. Detection involves auditing user permissions on the sys_redirect table and monitoring for unexpected or unauthorized redirect entries pointing to arbitrary URLs. Specific commands are not provided in the resources, but reviewing TYPO3 backend user permissions and inspecting the sys_redirect database table for suspicious redirects is recommended. [1, 4]

Mitigation Strategies

Immediate mitigation steps include updating TYPO3 CMS to fixed versions: 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, or 14.0.2, which contain the security patch. The patch enforces strict permission checks on the redirects module, restricting backend users' ability to list, create, or modify redirect records without proper permissions. Additionally, ensure backend users have appropriate permissions on the sys_redirect table, restrict access to redirect source hosts and targets based on user permissions, and follow TYPO3 Security Guide recommendations. Subscribing to the typo3-announce mailing list for updates is also advised. [1, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59021. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart