CVE-2025-59022
Unknown Unknown - Not Provided
Arbitrary Data Deletion via Recycler Module in TYPO3 CMS

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: TYPO3

Description
Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website unavailable. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59022
EUVD
EUVD-2026-2088
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
typo3 typo3_cms From 10.0.0 (inc) to 10.4.54 (inc)
typo3 typo3_cms From 11.0.0 (inc) to 11.5.48 (inc)
typo3 typo3_cms From 12.0.0 (inc) to 12.4.40 (inc)
typo3 typo3_cms From 13.0.0 (inc) to 13.4.22 (inc)
typo3 typo3_cms From 14.0.0 (inc) to 14.0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthorized backend users to delete arbitrary data from any database table, potentially leading to loss of critical site data and unavailability of the website. Such unauthorized data deletion could result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over data access and integrity. The ability to purge data without proper permissions undermines data security and audit requirements mandated by these standards. Therefore, this vulnerability poses a significant risk to compliance with common standards and regulations by enabling unauthorized data destruction and compromising data availability and integrity. [1, 2]

Executive Summary

This vulnerability in TYPO3 CMS's recycler module allows backend users who have access to the recycler module to delete arbitrary data from any database table defined in the Table Configuration Array (TCA) without having the necessary permissions for those tables. Specifically, the 'deleteRecords' action in the recycler module's AJAX route lacked proper permission checks, enabling unauthorized hard deletion of pages and records. This means users could bypass the required 'tables_modify' permissions and permanently delete critical site data, potentially causing significant data loss and site unavailability. The issue was fixed by enforcing strict permission checks, ensuring only users with explicit 'tables_modify' rights and the proper configuration ('mod.recycler.allowDelete=1') can perform deletions. [1, 2, 3, 4]

Impact Analysis

This vulnerability can have a severe impact by allowing attackers or unauthorized backend users to purge and destroy critical site data from any database table, regardless of their permissions. This unauthorized deletion can render the website unavailable, cause loss of important content, disrupt services, and potentially require significant recovery efforts. The high severity and ease of exploitation (network attack vector, low complexity, no user interaction) make it a critical risk for affected TYPO3 CMS installations. [1, 2]

Mitigation Strategies

To mitigate CVE-2025-59022, immediately update your TYPO3 CMS installation to a fixed version: 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, or 14.0.2. Ensure that backend users do not have unnecessary access to the recycler module, and verify that the UserTSconfig option 'mod.recycler.allowDelete' is set to '1' only for trusted users. These updates and configuration changes enforce proper permission checks preventing unauthorized hard deletion of records. Additionally, follow the TYPO3 Security Guide and subscribe to the typo3-announce mailing list for future updates. [2, 1, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59022. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart