TYPO3 Webhooks SSRF Vulnerability Advisory (CVE-2025-47936)

Key Information Vulnerability ID: TYPO3-CORE-SA-2025-012 Vulnerability Type: Server-Side Request Forgery (SSRF) via Webhooks Affected Versions: - 12.0.0 - 12.4.30 - 13.0.0 - 13.4.11 Severity: Low CVSS Score: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L Related CVE and CWE: CVE-2025-47936, CWE-918 Description Webhooks are vulnerable to SSRF, allowing attackers to access internal resources (such as localhost or other services on the local network). While this is not a vulnerability in TYPO3 itself, it may enable attackers to blindly access systems that would otherwise be inaccessible. An administrator-level backend user account is required to exploit this vulnerability. Solution Upgrade to the following versions: - TYPO3 12.4.31 LTS - TYPO3 13.4.12 LTS Manual Mitigation Requirements To mitigate potential SSRF risks via Webhooks, it is recommended to allow access only from trusted hosts. This can be achieved by configuring a whitelist in . If the whitelist is undefined or set to , all requests will be allowed. If the whitelist is an empty array, all requests will be blocked. By default, the factory setting allows all requests. This prevents existing Webhooks from failing after upgrading to affected TYPO3 versions. Administrators must manually configure this setting to enforce restrictions. Acknowledgments Thanks to the Swiss National Cyber Security Centre (NCSC) for reporting this issue, and to TYPO3 core and security team member Benjamin Franzke for fixing it.

Goal Reached Thanks to every supporter — we hit 100%!

TYPO3 Webhooks SSRF Vulnerability Advisory (CVE-2025-47936)