CVE-2025-59022
Arbitrary Data Deletion via Recycler Module in TYPO3 CMS
Publication date: 2026-01-13
Last updated on: 2026-01-13
Assigner: TYPO3
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| typo3 | typo3_cms | From 10.0.0 (inc) to 10.4.54 (inc) |
| typo3 | typo3_cms | From 11.0.0 (inc) to 11.5.48 (inc) |
| typo3 | typo3_cms | From 12.0.0 (inc) to 12.4.40 (inc) |
| typo3 | typo3_cms | From 13.0.0 (inc) to 13.4.22 (inc) |
| typo3 | typo3_cms | From 14.0.0 (inc) to 14.0.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized backend users to delete arbitrary data from any database table, potentially leading to loss of critical site data and unavailability of the website. Such unauthorized data deletion could result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over data access and integrity. The ability to purge data without proper permissions undermines data security and audit requirements mandated by these standards. Therefore, this vulnerability poses a significant risk to compliance with common standards and regulations by enabling unauthorized data destruction and compromising data availability and integrity. [1, 2]
Can you explain this vulnerability to me?
This vulnerability in TYPO3 CMS's recycler module allows backend users who have access to the recycler module to delete arbitrary data from any database table defined in the Table Configuration Array (TCA) without having the necessary permissions for those tables. Specifically, the 'deleteRecords' action in the recycler module's AJAX route lacked proper permission checks, enabling unauthorized hard deletion of pages and records. This means users could bypass the required 'tables_modify' permissions and permanently delete critical site data, potentially causing significant data loss and site unavailability. The issue was fixed by enforcing strict permission checks, ensuring only users with explicit 'tables_modify' rights and the proper configuration ('mod.recycler.allowDelete=1') can perform deletions. [1, 2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can have a severe impact by allowing attackers or unauthorized backend users to purge and destroy critical site data from any database table, regardless of their permissions. This unauthorized deletion can render the website unavailable, cause loss of important content, disrupt services, and potentially require significant recovery efforts. The high severity and ease of exploitation (network attack vector, low complexity, no user interaction) make it a critical risk for affected TYPO3 CMS installations. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2025-59022, immediately update your TYPO3 CMS installation to a fixed version: 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, or 14.0.2. Ensure that backend users do not have unnecessary access to the recycler module, and verify that the UserTSconfig option 'mod.recycler.allowDelete' is set to '1' only for trusted users. These updates and configuration changes enforce proper permission checks preventing unauthorized hard deletion of records. Additionally, follow the TYPO3 Security Guide and subscribe to the typo3-announce mailing list for future updates. [2, 1, 4]