### Key Information - **Vulnerability ID**: TYPO3-CORE-SA-2025-012 - **Vulnerability Type**: Server-Side Request Forgery (SSRF) via Webhooks - **Affected Versions**: - 12.0.0 - 12.4.30 - 13.0.0 - 13.4.11 - **Severity**: Low - **CVSS Score**: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L - **Related CVE and CWE**: CVE-2025-47936, CWE-918 ### Description Webhooks are vulnerable to SSRF, allowing attackers to access internal resources (such as localhost or other services on the local network). While this is not a vulnerability in TYPO3 itself, it may enable attackers to blindly access systems that would otherwise be inaccessible. An administrator-level backend user account is required to exploit this vulnerability. ### Solution - Upgrade to the following versions: - TYPO3 12.4.31 LTS - TYPO3 13.4.12 LTS ### Manual Mitigation Requirements To mitigate potential SSRF risks via Webhooks, it is recommended to allow access only from trusted hosts. This can be achieved by configuring a whitelist in `$GLOBALS['TYPO3_CONF_VARS']['HTTP']['allowed_hosts']['webhooks']`. - If the whitelist is undefined or set to `null`, all requests will be allowed. - If the whitelist is an empty array, all requests will be blocked. By default, the factory setting allows all requests. This prevents existing Webhooks from failing after upgrading to affected TYPO3 versions. Administrators must manually configure this setting to enforce restrictions. ### Acknowledgments Thanks to the Swiss National Cyber Security Centre (NCSC) for reporting this issue, and to TYPO3 core and security team member Benjamin Franzke for fixing it.