Platform
php
Component
typo3/cms-webhooks
Fixed in
12.0.1
13.0.1
12.4.31
CVE-2025-47936 describes a Server-Side Request Forgery (SSRF) vulnerability within the typo3/cms-webhooks component. This vulnerability allows attackers, specifically those with administrator-level backend user accounts, to potentially access internal resources. Affected versions include those prior to 12.4.31. A fix is available in TYPO3 versions 12.4.31 LTS and 13.4.12 LTS.
The SSRF vulnerability in typo3/cms-webhooks enables attackers to craft requests that originate from the TYPO3 server, bypassing network restrictions. This allows them to target internal resources that would normally be inaccessible from the outside, such as services running on localhost or other systems on the local network. Successful exploitation requires an attacker to have an administrator-level backend user account within the TYPO3 CMS. The potential impact includes unauthorized access to sensitive data, modification of internal configurations, and potentially even the compromise of other systems on the network, depending on the services exposed internally.
This vulnerability is not actively being exploited as of the public disclosure date (2025-05-20). It has been added to the CISA KEV catalog, indicating a medium probability of exploitation. Public proof-of-concept (POC) code is not currently available, but the SSRF nature of the vulnerability makes it likely that a POC will be developed. The requirement for administrator-level access may limit the scope of exploitation.
Exploit Status
EPSS
0.17% (39% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-47936 is to update the typo3/cms-webhooks component to version 12.4.31 LTS or later, or to version 13.4.12 LTS. If an immediate upgrade is not feasible, consider restricting network access to the TYPO3 server to minimize the potential attack surface. Implement strict access controls within the TYPO3 CMS to limit the number of users with administrator privileges. Review and audit webhook configurations to ensure they are not inadvertently configured to allow access to sensitive internal resources. After upgrade, confirm the fix by attempting to trigger a webhook request to an internal resource and verifying that the request is denied or properly handled.
Update TYPO3 to version 12.4.31 LTS or 13.4.12 LTS or higher. This update corrects the Server Side Request Forgery (SSRF) vulnerability in webhooks. It is recommended to perform the update as soon as possible to mitigate the risk.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-47936 is a Server-Side Request Forgery vulnerability in the typo3/cms-webhooks component, allowing attackers with admin access to target internal resources.
You are affected if you are using typo3/cms-webhooks versions prior to 12.4.31 or 13.4.12 and have administrator-level backend user accounts.
Update to TYPO3 versions 12.4.31 LTS or 13.4.12 LTS. Restrict network access and implement strict access controls as temporary mitigations.
As of the public disclosure date, there is no confirmed active exploitation of CVE-2025-47936, but it is considered a medium probability.
Refer to the TYPO3 security advisory for detailed information and updates: [https://typo3.org/security/advisory/typo3cms-vulnerabilities](https://typo3.org/security/advisory/typo3cms-vulnerabilities)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.