@plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user
- Severity:
- High
Description
When visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error.
Recommendation
Update the @plone/volto package to the latest compatible version. Followings are version details:
Affected version(s): **>= 19.0.0-alpha.1, < 19.0.0-alpha.6 >= 18.0.0, < 18.27.2 >= 17.0.0, < 17.22.2 < 16.34.1** Patched version(s): **19.0.0-alpha.6 18.27.2 17.22.2 16.34.1**
References
Related Issues
- Volto affected by possible DoS by invoking specific URL by anonymous user - CVE-2025-58047
- Axios is vulnerable to DoS attack through lack of data size check - CVE-2025-58754
- Sudden swap of user auth tokens in Volto - CVE-2022-24740
- Finance.js vulnerable to DoS via the IRR function’s depth parameter - CVE-2025-56571
- Tags:
- npm
- @plone/volto
Anything's wrong? Let us know Last updated on October 03, 2025