Volto affected by possible DoS by invoking specific URL by anonymous user
- Severity:
- High
Description
When visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error.
Recommendation
Update the @plone/volto package to the latest compatible version. Followings are version details:
Affected version(s): **>= 19.0.0-alpha.1, < 19.0.0-alpha.4 >= 18.0.0, < 18.24.0 >= 17.0.0, < 17.22.1 < 16.34.0** Patched version(s): **19.0.0-alpha.4 18.24.0 17.22.1 16.34.0**
References
Related Issues
- Elliptic's ECDSA missing check for whether leading bit of r and s is zero - CVE-2024-42460
- Potential DoS when using ContextLines integration (GHSA-r5w7-f542-q2j4) 10 - Vulnerability
- @intlify/shared Prototype Pollution vulnerability (GHSA-hjwq-mjwj-4x6c) 3 - CVE-2024-52810
- @intlify/shared Prototype Pollution vulnerability (GHSA-hjwq-mjwj-4x6c) 2 - CVE-2024-52810
- Tags:
- npm
- @plone/volto
Anything's wrong? Let us know Last updated on November 05, 2025