Volto affected by possible DoS by invoking specific URL by anonymous user
- Severity:
- High
Description
When visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error.
Recommendation
Update the @plone/volto package to the latest compatible version. Followings are version details:
-
Affected version(s): **>= 19.0.0-alpha.1, < 19.0.0-alpha.4 >= 18.0.0, < 18.24.0 >= 17.0.0, < 17.22.1 < 16.34.0** -
Patched version(s): **19.0.0-alpha.4 18.24.0 17.22.1 16.34.0**
References
Related Issues
- @plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user - CVE-2025-61668
- axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - CVE-2025-27152
- Sudden swap of user auth tokens in Volto - CVE-2022-24740
- SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering - @sveltejs/adapter-node - CVE-2025-67647
You might also like:
- Tags:
- npm
- @plone/volto
Anything's wrong? Let us know
Last updated on November 05, 2025