TYPO3 CMS Insecure Deserialization Vulnerability in Core API Allowing PHP Object Injection

A vulnerability exists in TYPO3 CMS's core API, specifically within the cache frontend 'VariableFrontend' and the 'Registry' key-value store. These components deserialized PHP payloads without proper integrity checks or class restrictions. An attacker with write access to the relevant storage backend—either the cache store or the 'sys_registry' database table—could inject a malicious serialized payload. This could lead to PHP Object Injection, potentially allowing the execution of arbitrary code or causing other significant impacts. The vulnerability requires direct local write access to the storage, such as the SQL database or file system. It affects TYPO3 CMS versions 10.0.0 prior to 10.4.57, 11.0.0 through 11.5.50, 12.0.0 through 12.4.45, 13.0.0 through 13.4.30, and 14.0.0 through 14.3.2.

Impact

Exploitation of this vulnerability could lead to PHP Object Injection, with the possibility of executing arbitrary code or causing other severe effects, depending on the injected object and the context in which it is used.

Reproduction

The vulnerability can be reproduced by writing a serialized PHP object that references a class with a user-defined '__destruct()' or an exploitable '__wakeup()' method into the 'sys_registry' database table or the cache store. This can be done using a TYPO3 extension or script that has access to these storage backends. Once the crafted payload is injected, the deserialization process will occur without the necessary safeguards, leading to object injection and potential code execution.

Remediation

Update TYPO3 to versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, or 14.3.3 LTS, all of which address this vulnerability.