@plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user
- Severity:
- High
Description
When visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error.
Recommendation
Update the @plone/volto package to the latest compatible version. Followings are version details:
Affected version(s): **>= 19.0.0-alpha.1, < 19.0.0-alpha.6 >= 18.0.0, < 18.27.2 >= 17.0.0, < 17.22.2 < 16.34.1** Patched version(s): **19.0.0-alpha.6 18.27.2 17.22.2 16.34.1**
References
Related Issues
- Volto affected by possible DoS by invoking specific URL by anonymous user - CVE-2025-58047
- axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - CVE-2025-27152
- Axios is vulnerable to DoS attack through lack of data size check - CVE-2025-58754
- pdfmake is vulnerable to Throttling via repeatedly redirecting URL in file embedding - CVE-2025-11362
- Tags:
- npm
- @plone/volto
Anything's wrong? Let us know Last updated on October 03, 2025