CVE-2025-59021
published 2026-01-13CVE-2025-59021: Backend users with access to the redirects module and write permission on the sys_redirect table were able to read, create, and modify any redirect record…
PriorityP339medium6.4CVSS 3.1
AVNACLPRLUINSCCLILAN
EPSS
0.25%
15.8th percentile
Backend users with access to the redirects module and write permission on the sys_redirect table were able to read, create, and modify any redirect record without restriction to the user’s own file-mounts or web-mounts. This allowed attackers to insert or alter redirects pointing to arbitrary URLs – facilitating phishing or other malicious redirect attacks. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| typo3 | cms-redirects | >= 10.0.0 < 10.4.55 | 10.4.55 |
| typo3 | cms-redirects | >= 11.0.0 < 11.5.49 | 11.5.49 |
| typo3 | cms-redirects | >= 12.0.0 < 12.4.41 | 12.4.41 |
| typo3 | cms-redirects | >= 13.0.0 < 13.4.23 | 13.4.23 |
| typo3 | cms-redirects | >= 14.0.0 < 14.0.2 | 14.0.2 |
| typo3 | typo3 | >= 10.0.0 < 10.4.55 | 10.4.55 |
| typo3 | typo3 | >= 11.0.0 < 11.5.49 | 11.5.49 |
| typo3 | typo3 | >= 12.0.0 < 12.4.41 | 12.4.41 |
| typo3 | typo3 | >= 13.0.0 < 13.4.23 | 13.4.23 |
| typo3 | typo3 | >= 14.0.0 < 14.0.2 | 14.0.2 |
| typo3 | typo3_cms | >= 10.0.0 < 10.4.55 | 10.4.55 |
| typo3 | typo3_cms | >= 11.0.0 < 11.5.49 | 11.5.49 |
| typo3 | typo3_cms | >= 12.0.0 < 12.4.41 | 12.4.41 |
| typo3 | typo3_cms | >= 13.0.0 < 13.4.23 | 13.4.23 |
| typo3 | typo3_cms | >= 14.0.0 < 14.0.2 | 14.0.2 |
CVSS provenance
nvdv3.16.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
TYPO3 CMS Allows Broken Access Control in Redirects Module
osv·2026-01-13
CVE-2025-59021 [MEDIUM] TYPO3 CMS Allows Broken Access Control in Redirects Module
TYPO3 CMS Allows Broken Access Control in Redirects Module
### Problem
Backend users with access to the redirects module and write permission on the `sys_redirect` table were able to read, create, and modify any redirect record - without restriction to the user’s own file‑mounts or web‑mounts. This allowed attackers to insert or alter redirects pointing to arbitrary URLs - facilitating phishing or other malicious redirect attacks.
### Solution
Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described.
### Credits
Thanks to Georg Dümmler for reporting this issue, and to TYPO3 security team member Elias Häußler for fixing it.
### References
* [TYPO3-CORE-SA-2026-002](https://typo3.org/security/advisory/typo3-core-sa-2026-002)
GHSA
TYPO3 CMS Allows Broken Access Control in Redirects Module
ghsa·2026-01-13
CVE-2025-59021 [MEDIUM] CWE-862 TYPO3 CMS Allows Broken Access Control in Redirects Module
TYPO3 CMS Allows Broken Access Control in Redirects Module
### Problem
Backend users with access to the redirects module and write permission on the `sys_redirect` table were able to read, create, and modify any redirect record - without restriction to the user’s own file‑mounts or web‑mounts. This allowed attackers to insert or alter redirects pointing to arbitrary URLs - facilitating phishing or other malicious redirect attacks.
### Solution
Update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described.
### Credits
Thanks to Georg Dümmler for reporting this issue, and to TYPO3 security team member Elias Häußler for fixing it.
### References
* [TYPO3-CORE-SA-2026-002](https://typo3.org/security/advisory/typo3-core-sa-2026-002)
No detection rules found.
No public exploits indexed.
2026-01-13
Published