Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-xjhf-7833-3pm5

GitHub Security Advisory

Volto affected by possible DoS by invoking specific URL by anonymous user

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Impact
When visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error.

### Patches
The problem has been patched and the patch has been backported to Volto major versions down until 16. It is advised to upgrade to the latest patch release of your respective current major version:

- Volto 16: [16.34.0](https://github.com/plone/volto/releases/tag/16.34.0)
- Volto 17: [17.22.1](https://github.com/plone/volto/releases/tag/17.22.1)
- Volto 18: [18.24.0](https://github.com/plone/volto/releases/tag/18.24.0)
- Volto 19: [19.0.0-alpha4](https://github.com/plone/volto/releases/tag/19.0.0-alpha.4)

### Workarounds
Make sure your setup automatically restarts processes that quit with an error. This won't prevent a crash, but it minimises downtime.

### Report
The problem was discovered by FHNW, a client of Plone provider kitconcept, who shared it with the Plone Zope Security Team ([email protected]).

Affected Packages

npm @plone/volto
Affected versions: 0 (fixed in 16.34.0)
npm @plone/volto
Affected versions: 17.0.0 (fixed in 17.22.1)
npm @plone/volto
Affected versions: 18.0.0 (fixed in 18.24.0)
npm @plone/volto
Affected versions: 19.0.0-alpha.1 (fixed in 19.0.0-alpha.4)

Related CVEs

CVE-2025-58047

Key Information

GHSA ID
GHSA-xjhf-7833-3pm5
Published
August 28, 2025 3:34 PM
Last Modified
August 28, 2025 6:52 PM
CVSS Score
7.5 /10
Primary Ecosystem
npm
Primary Package
@plone/volto
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 9, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.