Date: 2026-01-15 Vulnerability: Unsafe deserialization in Registry.php and VariableFrontend.php Researcher: Your findings
Based on my research, you should report this vulnerability to TYPO3's security team, but there are important considerations about bug bounty eligibility.
Primary Contact: security@typo3.org HackerOne Program: https://hackerone.com/typo3 Official Page: https://typo3.community/contribute/teams-committees/security/bug-bounty-program
β Server-side code execution vulnerabilities (your finding) β All actively maintained TYPO3 versions β Authentication and authorization flaws
β Install tool flaws requiring super-privileged user access β External libraries with known vulnerabilities β Debug configuration disclosures
Based on CVSS scoring:
| Severity | CVSS Score | Bounty (TYPO3 CMS) | Your Finding |
|---|---|---|---|
| Critical | β₯9.0 | β¬600 | β (Requires admin access) |
| High | β₯7.0 | β¬300 | β Likely eligible |
| Medium | β₯4.0 | β¬150 | Possible |
| Low | <4.0 | β¬50 | Unlikely |
CVSS 3.1 Score: 7.2 (HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): High (H) β Requires admin/database access
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): High (H)
Estimated Bounty: β¬150-β¬300 (likely β¬300 for High severity)
TYPO3 has had multiple deserialization vulnerabilities in the past that were accepted and patched:
- Severity: Critical
- Impact: Remote Code Execution via deserialization
- Affected: TYPO3 8.x through 8.7.26, 9.x through 9.5.7
- Files:
DatabaseLanguageRows.php,DataHandler.php - Requirement: Authenticated backend user
- Status: β Patched and CVE assigned
Source: CVE Details
- Severity: High
- Impact: Insecure deserialization leading to arbitrary file deletion
- Affected: TYPO3 9.0.0-9.5.16, 10.0.0-10.4.1
- Requirement: Malicious user-submitted content
- Status: β Fixed in 9.5.17 and 10.4.2
Source: NVD CVE-2020-15098
- Impact: Insecure deserialization in
$BE_USER->uc - Affected: TYPO3 9.0.0-9.5.16, 10.0.0-10.4.1
- Combination: Could lead to RCE with third-party components
- Status: β Patched
Key Takeaway: TYPO3 accepts and rewards deserialization vulnerabilities even when they require authentication!
I verified the current TYPO3 master branch on GitHub:
Line 77 (Current Code):
return $this->backend instanceof TransientBackendInterface ? $rawResult : unserialize($rawResult);β No allowed_classes parameter
β Still vulnerable to object injection
Your Local Analysis (Line 172):
$this->entries[$namespace][$row['entry_key']] = unserialize($row['entry_value']);β No allowed_classes parameter
β Still vulnerable to object injection
Your specific finding in Registry.php:172 and VariableFrontend.php:77 appears to be different from previous CVEs:
- Previous CVEs targeted different files (
DataHandler.php,DatabaseLanguageRows.php) - Your finding is in core caching and registry systems
- Still present in current master branch
Even though exploitation requires admin access, TYPO3's bug bounty program accepts these because:
- Defense in depth is important
- Prevents privilege escalation chains
- Reduces attack surface if combined with other vulnerabilities
Server-side code execution is explicitly in scope for TYPO3's program:
"SQL injection, server-side code execution, XSS, CSRF vulnerabilities"
CVE-2019-12747 required authenticated backend user and was still accepted and patched.
-
Requires Privileged Access
- Database write access OR
- Backend administrator credentials
- Not exploitable by unauthenticated users
-
Similar to "Install Tool" Exclusion The program excludes:
"Install tool flaws requiring super-privileged user access"
Your finding might be viewed similarly since it requires admin/database access.
-
Defense in Depth Issue More of a "hardening" recommendation than a direct exploit path.
- β Different from excluded "install tool" (this is core runtime code)
- β Part of attack chain (SQL injection β unserialize RCE)
- β Historical precedent (CVE-2019-12747 was similar and accepted)
- β Still present in current code (not yet patched)
- β
Clear security improvement (adding
allowed_classes)
Subject:
Security Vulnerability Report: Unsafe Deserialization in Registry and Cache Systems
Email Template:
Dear TYPO3 Security Team,
I am reporting a potential security vulnerability in TYPO3 CMS related to
unsafe deserialization in core components.
VULNERABILITY SUMMARY:
- Type: CWE-502 - Deserialization of Untrusted Data
- Impact: Remote Code Execution (requires admin/database access)
- Affected Files:
* typo3/sysext/core/Classes/Registry.php (Line 172)
* typo3/sysext/core/Classes/Cache/Frontend/VariableFrontend.php (Line 77)
- Versions: All current versions (verified on master branch)
VULNERABILITY DETAILS:
Both files call unserialize() without the 'allowed_classes' parameter,
allowing arbitrary object instantiation if an attacker can write to:
- sys_registry table (via SQL injection or database access)
- Cache backend (via cache poisoning)
EXPLOITATION REQUIREMENTS:
- Backend administrator access, OR
- Direct database write access, OR
- SQL injection vulnerability to write to sys_registry
PROOF OF CONCEPT:
I have developed working POC code and patches. I can provide these
securely after initial triage.
PROPOSED FIX:
Add ['allowed_classes' => false] parameter to unserialize() calls:
- Registry.php:172
- VariableFrontend.php:77
SEVERITY ASSESSMENT:
CVSS 3.1: 7.2 (HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
I am available to provide additional details, POC code, and collaborate
on a fix if this is accepted as a valid security issue.
Best regards,
[Your Name]
You can also submit via HackerOne at https://hackerone.com/typo3 for better tracking and potential bounty processing.
Once they respond, provide:
- β
Your POC scripts (
poc_rce_unserialize.php,demo_rce_live.php) - β
Patches (
patches/fix_registry_unserialize.patch) - β
Detailed exploitation report (
RCE_EXPLOITATION_SUMMARY.md) - β CVSS calculator breakdown
DO NOT include in your first email:
- β Working exploit code (provide only after they confirm interest)
- β Details on how to exploit on live systems
- β Public disclosure (coordinate with security team first)
- β Demands for specific bounty amounts
DO include:
- β Clear description of the issue
- β Affected files and line numbers
- β Impact assessment
- β Proposed fix
- β Offer to provide POC privately
Based on TYPO3's bug bounty program:
- Initial Response: 1-7 days
- Triage Decision: 1-2 weeks
- Fix Development: 2-8 weeks
- Public Disclosure: After fix is released
- Bounty Payment: After public release
Note: "Bug bounty payments usually happen only after a confirmed vulnerability has been fixed and released to the public."
Source: TYPO3 Bug Bounty Program
-
Still Present in Current Code
- Verified on GitHub master branch
- Not yet addressed by previous security patches
-
Part of Attack Chain
- SQL injection β write to sys_registry β RCE
- Defense in depth is important
-
Low-Effort Fix
- One-line change: add
['allowed_classes' => false] - No breaking changes
- Clear security improvement
- One-line change: add
-
Similar to Accepted CVEs
- CVE-2019-12747 required authentication
- CVE-2020-15098 was deserialization issue
- Precedent exists for accepting these
-
Professional Disclosure
- Provide patches and POC
- Offer to help with fix
- Follow responsible disclosure
β You are INELIGIBLE if:
- You are currently part of TYPO3 Association teams, committees, or initiatives
- You are affiliated with TYPO3 GmbH
β You are ELIGIBLE if:
- You are an independent security researcher
- You are a individual (not a company for bug bounty)
- You discovered this independently
- You are reporting responsibly
Source: TYPO3 Bug Bounty Program
- β Accepted as valid security issue
- β CVE assigned
- β Bug bounty: β¬300 (High severity)
- β Public credit in security advisory
- β Contribution to TYPO3 security
- β Accepted for security hardening
- β Fixed in next release
- β Bug bounty: β¬150-β¬300
- β Mentioned in changelog
- β Deemed "requires super-privileged access" (excluded)
- β Considered "by design" behavior
- β No bounty, but may still be fixed
β οΈ Request to not disclose publicly
Reasoning:
- β It's a real security issue
- β Still present in current code
- β Has precedent (similar CVEs accepted)
- β Low-effort fix for TYPO3
- β Improves overall security posture
- β You've done thorough research
- β Professional disclosure approach
Potential Outcomes:
- Bounty: β¬150-β¬300 (if accepted as High severity)
- CVE: Possible CVE assignment
- Credit: Security advisory mention
- Impact: Improving TYPO3 security for thousands of sites
Even if no bounty is awarded, you will:
- Contribute to open-source security
- Build reputation as security researcher
- Help improve TYPO3 for the community
- Gain valuable disclosure experience
- Send initial report to security@typo3.org
- Wait for triage response (1-7 days)
- Provide POC and patches if requested
- Coordinate on fix timeline
- Wait for public release before disclosure
- Receive bounty payment (if approved)
- TYPO3 Bug Bounty Program
- TYPO3 on HackerOne
- CVE-2019-12747 Details
- NVD CVE-2020-15098
- TYPO3 Security Advisories
- GitHub - TYPO3 VariableFrontend.php
Good luck with your submission!
Remember: Always follow responsible disclosure practices and coordinate with the security team before any public disclosure.
Report Prepared: 2026-01-15 Analysis By: Security Research Recommendation: REPORT TO TYPO3 SECURITY TEAM