Описание
Volto affected by possible DoS by invoking specific URL by anonymous user
Impact
When visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error.
Patches
The problem has been patched and the patch has been backported to Volto major versions down until 16. It is advised to upgrade to the latest patch release of your respective current major version:
- Volto 16: 16.34.0
- Volto 17: 17.22.1
- Volto 18: 18.24.0
- Volto 19: 19.0.0-alpha4
Workarounds
Make sure your setup automatically restarts processes that quit with an error. This won't prevent a crash, but it minimises downtime.
Report
The problem was discovered by FHNW, a client of Plone provider kitconcept, who shared it with the Plone Zope Security Team (security@plone.org).
Ссылки
- https://github.com/plone/volto/security/advisories/GHSA-xjhf-7833-3pm5
- https://nvd.nist.gov/vuln/detail/CVE-2025-58047
- https://github.com/plone/volto/commit/2789a287ac45ad9039fb9161d465ba13241fff0a
- https://github.com/plone/volto/releases/tag/16.34.0
- https://github.com/plone/volto/releases/tag/17.22.1
- https://github.com/plone/volto/releases/tag/18.24.0
- https://github.com/plone/volto/releases/tag/19.0.0-alpha.4
- http://www.openwall.com/lists/oss-security/2025/08/28/3
Пакеты
@plone/volto
< 16.34.0
16.34.0
@plone/volto
>= 17.0.0, < 17.22.1
17.22.1
@plone/volto
>= 18.0.0, < 18.24.0
18.24.0
@plone/volto
>= 19.0.0-alpha.1, < 19.0.0-alpha.4
19.0.0-alpha.4
Связанные уязвимости
Volto is a React based frontend for the Plone Content Management System. In versions from 19.0.0-alpha.1 to before 19.0.0-alpha.4, 18.0.0 to before 18.24.0, 17.0.0 to before 17.22.1, and prior to 16.34.0, an anonymous user could cause the NodeJS server part of Volto to quit with an error when visiting a specific URL. The problem has been patched in versions 16.34.0, 17.22.1, 18.24.0, and 19.0.0-alpha.4. To mitigate downtime, have setup automatically restart processes that quit with an error.