Volto affected by possible DoS by invoking specific URL by anonymous user
- Severity:
- High
Description
When visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error.
Recommendation
Update the @plone/volto package to the latest compatible version. Followings are version details:
Affected version(s): **>= 19.0.0-alpha.1, < 19.0.0-alpha.4 >= 18.0.0, < 18.24.0 >= 17.0.0, < 17.22.1 < 16.34.0** Patched version(s): **19.0.0-alpha.4 18.24.0 17.22.1 16.34.0**
References
Related Issues
- jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - CVE-2026-24001
- LangChain serialization injection vulnerability enables secret extraction - CVE-2025-68665
- Elliptic's ECDSA missing check for whether leading bit of r and s is zero - CVE-2024-42460
- @plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user - CVE-2025-61668
- Tags:
- npm
- @plone/volto
Anything's wrong? Let us know Last updated on November 05, 2025