CamelCase Catastrophe: How a Typo in TYPO3 Enabled RCE
Jan 14, 2026·5 min read·8 visits
Executive Summary (TL;DR)
The TYPO3 developers attempted to secure the mail spooler by whitelisting allowed classes during deserialization. However, they used the configuration key 'allowedClasses' (camelCase) instead of the required 'allowed_classes' (snake_case). PHP silently ignored the invalid key, disabling the whitelist entirely. This allows an attacker with write access to the spool directory to execute arbitrary code via gadget chains.
A critical insecure deserialization vulnerability in TYPO3 CMS caused by a typographical error in the unserialize() options. A local attacker can escalate privileges to RCE by planting malicious serialized objects in the mail spool.
Official Patches
Fix Analysis (2)
Technical Appendix
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
TYPO3 CMS v14 TYPO3 | 14.0.0 - 14.0.1 | 14.0.2 |
TYPO3 CMS v13 TYPO3 | 13.0.0 - 13.4.22 | 13.4.23 |
TYPO3 CMS v12 TYPO3 | 12.0.0 - 12.4.40 | 12.4.41 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-502 |
| Attack Vector | Local (File Write) |
| CVSS | 5.2 (Medium) |
| Impact | Remote Code Execution (RCE) |
| Configuration | transport_spool_type = file |
| Exploit Status | PoC Available |
MITRE ATT&CK Mapping
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.