CVE-2025-47939

Description

TYPO3 is an open source, PHP based web content management system. By design, the file management module in TYPO3’s backend user interface has historically allowed the upload of any file type, with the exception of those that are directly executable in a web server context. This lack of restriction means it is possible to upload files that may be considered potentially harmful, such as executable binaries (e.g., `.exe` files), or files with inconsistent file extensions and MIME types (for example, a file incorrectly named with a `.png` extension but actually carrying the MIME type `application/zip`) starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS. Although such files are not directly executable through the web server, their presence can introduce indirect risks. For example, third-party services such as antivirus scanners or malware detection systems might flag or block access to the website for end users if suspicious files are found. This could negatively affect the availability or reputation of the site. Users should update to TYPO3 version 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS to fix the problem.

CVSS v3.1 Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Weakness Type (CWE)

CWE-351 CWE-351

CWE-434 Unrestricted Upload

Affected Products

Vendor	Product	Versions
typo3	typo3	9.0.0 — 9.5.51
typo3	typo3	10.0.0 — 10.4.50
typo3	typo3	11.0.0 — 11.5.44
typo3	typo3	12.0.0 — 12.4.31
typo3	typo3	13.0.0 — 13.4.12

References

Advisories & Patches

https://github.com/TYPO3/typo3/security/advisories/GHSA-9hq9-cr36-4wpj https://typo3.org/security/advisory/typo3-core-sa-2025-014

Frequently Asked Questions

What is CVE-2025-47939? +

TYPO3 is an open source, PHP based web content management system. By design, the file management module in TYPO3’s backend user interface has historically allowed the upload of any file type, with the exception of those that are directly executable in a web server context. This lack of restriction means it is possible to upload files that may be considered potentially harmful, such as executable binaries (e.g., `.exe` files), or files with inconsistent file extensions and MIME types (for example, a file incorrectly named with a `.png` extension but actually carrying the MIME type `application/zip`) starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS. Although such files are not directly executable through the web server, their presence can introduce indirect risks. For example, third-party services such as antivirus scanners or malware detection systems might flag or block access to the website for end users if suspicious files are found. This could negatively affect the availability or reputation of the site. Users should update to TYPO3 version 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS to fix the problem. It has a CVSS v3.1 base score of 5.4 (MEDIUM).

How severe is CVE-2025-47939? +

CVE-2025-47939 has a CVSS v3.1 score of 5.4 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance.

What products are affected by CVE-2025-47939? +

CVE-2025-47939 affects products from typo3, specifically: typo3. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2025-47939? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-54412

skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain …

CVE-2025-54413

skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain …

CVE-2025-30510 9.8

An attacker can upload an arbitrary file instead of a plant image.

CVE-2025-31951 8.8

HCL BigFix RunBookAI is affected by a Unvalidated Command Input / Potential Command Smuggling vulnerability. A flaw in a component's …

CVE-2025-65960 6.6

Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, back end users …

CVE-2024-4769 5.9

When importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script responses. This could …