### Key Information - **Vulnerability ID**: TYPO3-EXT-SA-2025-008 - **Affected Extension**: "Front End User Registration" (sr_feuser_register) - **Vulnerability Types**: - Remote Code Execution (RCE) - Insecure Direct Object Reference (IDOR) - **Severity**: Critical - **Affected Versions**: 5.1.0 - 12.4.8 - **CVSS v3.1 Score**: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C - **CVE IDs**: CVE-2025-48200, CVE-2025-48205 - **CWE IDs**: CWE-502, CWE-639 ### Description The extension allows the exchange of serialized file object representations of previously uploaded files, but without proper validation. This enables attackers to inject arbitrary serialized PHP objects, which may be deserialized on the server, leading to Remote Code Execution (RCE). Additionally, the extension does not validate whether the specified file identifier is authorized for download, allowing attackers to disclose and download arbitrary files without further authentication, resulting in an Insecure Direct Object Reference (IDOR) vulnerability. ### Solution Users are advised to upgrade to version 12.5.0 as soon as possible, which includes fixes for these vulnerabilities. The update can be downloaded via the TYPO3 Extension Manager, Packagist, or directly from the following link: - [https://extensions.typo3.org/extension/download/sr_feuser_register/12.5.0/zip](https://extensions.typo3.org/extension/download/sr_feuser_register/12.5.0/zip) ### Acknowledgments Thanks to Johannes Seipelt for reporting the RCE vulnerability, to Security Team Member Torben Hansen for reporting the IDOR issue, and to Stanislas Roland for providing the updated version of the extension.