TYPO3 CMS Unrestricted Redirect Modification (10-14)
CVE-2025-59021 Published on January 13, 2026
TYPO3 CMS Allows Broken Access Control in Redirects Module
Backend users with access to the redirects module and write permission on the sys_redirect table were able to read, create, and modify any redirect record without restriction to the users own file-mounts or web-mounts. This allowed attackers to insert or alter redirects pointing to arbitrary URLs facilitating phishing or other malicious redirect attacks. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2025-59021 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2025-59021
Want to know whenever a new CVE is published for TYPO3? stack.watch will email you.
Affected Versions
TYPO3 CMS:- Version 10.0.0 and below 10.4.55 is affected.
- Version 11.0.0 and below 11.5.49 is affected.
- Version 12.0.0 and below 12.4.41 is affected.
- Version 13.0.0 and below 13.4.23 is affected.
- Version 14.0.0 and below 14.0.2 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2025-59021
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| composer | typo3/cms-redirects | >= 14.0.0, <= 14.0.1 | 14.0.2 |
| composer | typo3/cms-redirects | >= 13.0.0, <= 13.4.22 | 13.4.23 |
| composer | typo3/cms-redirects | >= 12.0.0, <= 12.4.40 | 12.4.41 |
| composer | typo3/cms-redirects | >= 11.0.0, <= 11.5.48 | 11.5.49 |
| composer | typo3/cms-redirects | >= 10.0.0, <= 10.4.54 | 10.4.55 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.