CVE-2025-59021 is a missing authorization vulnerability (CWE-862) in the TYPO3 CMS redirects module, present in versions 10.0.0 through 14.0.1. The issue arises because backend users who have access to the redirects module and write permissions on the sys_redirect database table can bypass restrictions normally enforced by file-mounts or web-mounts. This means such users can read, create, and modify any redirect record in the system, not just those associated with their own mounts. By exploiting this flaw, an attacker with legitimate backend access can insert or alter redirects to point to arbitrary external URLs. This capability can be leveraged to conduct phishing attacks by redirecting legitimate site visitors to malicious sites, or to facilitate other malicious redirect-based attacks. The vulnerability does not require user interaction beyond authenticated backend access and does not require elevated privileges beyond write access to the sys_redirect table. The CVSS 4.0 base score is 5.3 (medium), reflecting network attack vector, low complexity, no privileges required beyond write access, and no user interaction. The impact affects confidentiality and integrity by enabling unauthorized modification of redirect targets, potentially undermining user trust and site integrity. No public exploits are known at this time, but the vulnerability is published and should be addressed promptly. TYPO3 CMS is widely used in Europe for content management, especially in government, education, and enterprise sectors, making this vulnerability relevant for European organizations relying on affected versions.

For European organizations, this vulnerability poses a risk of unauthorized redirect manipulation within TYPO3 CMS installations. Attackers with backend access and write permissions on the sys_redirect table can redirect legitimate users to malicious or phishing sites, potentially leading to credential theft, malware infection, or reputational damage. This can undermine user trust in affected websites, especially for public-facing portals of government, educational institutions, and enterprises that rely on TYPO3 CMS. The ability to modify redirects without restriction can also facilitate further social engineering or targeted attacks. While exploitation requires authenticated backend access, insider threats or compromised backend credentials increase risk. The vulnerability impacts confidentiality and integrity of web content and user navigation flows, but does not directly affect availability. European organizations with TYPO3 CMS versions 10.0.0 to 14.0.1 should consider this a significant risk, particularly those with multiple backend users or less restrictive permission models. The lack of known exploits in the wild reduces immediate threat but does not eliminate risk due to the ease of exploitation once access is obtained.

1. Upgrade TYPO3 CMS to the latest patched version beyond 14.0.1 once available, as the vendor will likely release a fix addressing this authorization flaw. 2. Until patches are applied, restrict backend user permissions by limiting access to the redirects module and write permissions on the sys_redirect table only to trusted administrators. 3. Implement strict role-based access control (RBAC) to ensure users cannot modify redirects outside their scope. 4. Monitor backend user activity logs for unusual redirect creation or modification patterns. 5. Employ multi-factor authentication (MFA) for backend access to reduce risk of credential compromise. 6. Conduct regular audits of redirect records to detect unauthorized or suspicious entries. 7. Educate administrators about the risk of phishing via malicious redirects and encourage vigilance. 8. Consider network segmentation or additional access controls to limit backend access to trusted networks. 9. Use web application firewalls (WAF) to detect and block suspicious redirect patterns if possible. 10. Maintain an incident response plan to quickly address any detected misuse of redirects.