CVE-2025-58047 – @plone/volto

Package

Manager: npm
Name: @plone/volto
Vulnerable Version: >=0 <16.34.0 || >=17.0.0 <17.22.1 || >=18.0.0 <18.24.0 || >=19.0.0-alpha.1 <19.0.0-alpha.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0007 pctl0.21786

Details

Volto affected by possible DoS by invoking specific URL by anonymous user ### Impact When visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error. ### Patches The problem has been patched and the patch has been backported to Volto major versions down until 16. It is advised to upgrade to the latest patch release of your respective current major version: - Volto 16: [16.34.0](https://github.com/plone/volto/releases/tag/16.34.0) - Volto 17: [17.22.1](https://github.com/plone/volto/releases/tag/17.22.1) - Volto 18: [18.24.0](https://github.com/plone/volto/releases/tag/18.24.0) - Volto 19: [19.0.0-alpha4](https://github.com/plone/volto/releases/tag/19.0.0-alpha.4) ### Workarounds Make sure your setup automatically restarts processes that quit with an error. This won't prevent a crash, but it minimises downtime. ### Report The problem was discovered by FHNW, a client of Plone provider kitconcept, who shared it with the Plone Zope Security Team (security@plone.org).

Metadata

Created: 2025-08-28T15:34:28Z
Modified: 2025-08-28T18:52:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-xjhf-7833-3pm5/GHSA-xjhf-7833-3pm5.json
CWE IDs: ["CWE-755"]
Alternative ID: GHSA-xjhf-7833-3pm5
Finding: F002
Auto approve: 1