GHSA-m8rj-ppph-mj33

Опубликовано: 01 окт. 2025

Источник: github

Github: Прошло ревью

CVSS4: 8.7

Описание

@plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user

Impact

When visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error.

Patches

The problem has been patched and the patch has been backported to Volto major versions down until 16. It is advised to upgrade to the latest patch release of your respective current major version:

Volto 16: 16.34.1
Volto 17: 17.22.2
Volto 18: 18.27.2
Volto 19: 19.0.0-alpha6

Workarounds

Make sure your setup automatically restarts processes that quit with an error. This won't prevent a crash, but it minimises downtime.

Report

The problem was discovered by FHNW, a client of Plone provider kitconcept, who shared it with the Plone Zope Security Team (security@plone.org).

Ссылки

Пакеты

Наименование

@plone/volto

npm

Затронутые версииВерсия исправления

< 16.34.1

16.34.1

Наименование

@plone/volto

npm

Затронутые версииВерсия исправления

>= 17.0.0, < 17.22.2

17.22.2

Наименование

@plone/volto

npm

Затронутые версииВерсия исправления

>= 18.0.0, < 18.27.2

18.27.2

Наименование

@plone/volto

npm

Затронутые версииВерсия исправления

>= 19.0.0-alpha.1, < 19.0.0-alpha.6

19.0.0-alpha.6

EPSS

Процентиль: 28%

0.00099

Низкий

8.7 High

CVSS4

CVE ID

CVE-2025-61668

Дефекты

CWE-476

CWE-754

Связанные уязвимости

CVE-2025-61668

nvd

4 месяца назад

Volto is a ReactJS-based frontend for the Plone Content Management System. Versions 16.34.0 and below, 17.0.0 through 17.22.1, 18.0.0 through 18.27.1, and 19.0.0-alpha.1 through 19.0.0-alpha.5, an anonymous user could cause the NodeJS server part of Volto to quit with an error when visiting a specific URL. This issue is fixed in versions 16.34.1, 17.22.2, 18.27.2 and 19.0.0-alpha.6.

EPSS

Процентиль: 28%

0.00099

Низкий

8.7 High

CVSS4

CVE ID

CVE-2025-61668

Дефекты

CWE-476

CWE-754