CVE-2022-36104 is a vulnerability identified in TYPO3, an open-source PHP-based web content management system widely used for building and managing websites. The affected TYPO3 versions are from 11.4.0 up to but not including 11.5.16. The vulnerability arises when an attacker sends HTTP requests for invalid or non-existing resources. Instead of simply returning an error, TYPO3's page error handler attempts to retrieve content from another page to display as the error message. This behavior can cause the application to recursively call itself repeatedly, leading to an amplification effect. Each recursive call consumes additional server resources, such as CPU, memory, and web server connections, without any throttling or limits in place (CWE-770: Allocation of Resources Without Limits or Throttling). This can exhaust the web server's capacity, resulting in denial of service (DoS) conditions where legitimate users cannot access the website or application. The vulnerability does not require authentication or user interaction beyond sending crafted HTTP requests. No known exploits have been observed in the wild, but the issue is resolved by upgrading to TYPO3 version 11.5.16 or later. There are no effective workarounds available, making patching the primary remediation method.

For European organizations using TYPO3 versions between 11.4.0 and 11.5.15, this vulnerability poses a risk of denial of service attacks that can disrupt web services. TYPO3 is popular among government agencies, educational institutions, and medium to large enterprises in Europe, which rely on web availability for public communication and service delivery. An attacker exploiting this vulnerability could cause service outages, impacting business continuity, customer trust, and potentially leading to financial losses. Since the vulnerability can be triggered remotely without authentication, it increases the attack surface and risk of automated or large-scale attacks. The recursive resource consumption could also strain hosting infrastructure, leading to collateral impacts on other hosted services. Although no data confidentiality or integrity compromise is indicated, the availability impact alone can be significant, especially for critical public-facing websites. Organizations with limited incident response or patch management capabilities may face prolonged downtime.

1. Immediate upgrade to TYPO3 version 11.5.16 or later is the most effective mitigation to eliminate the vulnerability. 2. Implement web server-level request rate limiting and connection throttling to reduce the impact of recursive requests, for example using Apache mod_reqtimeout or Nginx limit_req modules. 3. Deploy web application firewalls (WAFs) with custom rules to detect and block recursive or anomalous request patterns targeting invalid resources. 4. Monitor web server logs for unusual spikes in 404 or error page requests that may indicate exploitation attempts. 5. Isolate TYPO3 instances in segmented network zones to limit potential impact on other services. 6. Regularly review and update incident response plans to include handling of DoS scenarios caused by application-level resource exhaustion. 7. Engage with TYPO3 community and security advisories to stay informed about patches and emerging threats related to this vulnerability.