Volto affected by possible DoS by invoking specific URL by anonymous user
- Severity:
- High
Description
When visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error.
Recommendation
Update the @plone/volto package to the latest compatible version. Followings are version details:
Affected version(s): **>= 19.0.0-alpha.1, < 19.0.0-alpha.4 >= 18.0.0, < 18.24.0 >= 17.0.0, < 17.22.1 < 16.34.0** Patched version(s): **19.0.0-alpha.4 18.24.0 17.22.1 16.34.0**
References
Related Issues
- @plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user - CVE-2025-61668
- @intlify/shared Prototype Pollution vulnerability (GHSA-hjwq-mjwj-4x6c) 3 - CVE-2024-52810
- @intlify/shared Prototype Pollution vulnerability (GHSA-hjwq-mjwj-4x6c) 2 - CVE-2024-52810
- angular-base64-upload vulnerable to unauthenticated remote code execution - CVE-2024-42640
- Tags:
- npm
- @plone/volto
Anything's wrong? Let us know Last updated on August 28, 2025