@plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user
- Severity:
- High
Description
When visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error.
Recommendation
Update the @plone/volto
package to the latest compatible version. Followings are version details:
Affected version(s): **>= 19.0.0-alpha.1, < 19.0.0-alpha.6 >= 18.0.0, < 18.27.2 >= 17.0.0, < 17.22.2 < 16.34.1** Patched version(s): **19.0.0-alpha.6 18.27.2 17.22.2 16.34.1**
References
Related Issues
- Volto affected by possible DoS by invoking specific URL by anonymous user - CVE-2025-58047
- Systeminformation has command injection vulnerability in getWindowsIEEE8021x (SSID) - CVE-2024-56334
- @workos-inc/authkit-nextjs refresh tokens are logged when the debug flag is enabled - CVE-2024-51752
- Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS - CVE-2024-43788
- Tags:
- npm
- @plone/volto
Anything's wrong? Let us know Last updated on October 01, 2025