GHSA-xjhf-7833-3pm5
Vulnerability from github
Published
2025-08-28 15:34
Modified
2025-11-05 20:41
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Volto affected by possible DoS by invoking specific URL by anonymous user
Details

Impact

When visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error.

Patches

The problem has been patched and the patch has been backported to Volto major versions down until 16. It is advised to upgrade to the latest patch release of your respective current major version:

Workarounds

Make sure your setup automatically restarts processes that quit with an error. This won't prevent a crash, but it minimises downtime.

Report

The problem was discovered by FHNW, a client of Plone provider kitconcept, who shared it with the Plone Zope Security Team (security@plone.org).

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@plone/volto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "16.34.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@plone/volto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "17.0.0"
            },
            {
              "fixed": "17.22.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@plone/volto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "18.0.0"
            },
            {
              "fixed": "18.24.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@plone/volto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.0.0-alpha.1"
            },
            {
              "fixed": "19.0.0-alpha.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-58047"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-28T15:34:28Z",
    "nvd_published_at": "2025-08-28T18:15:33Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nWhen visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error.\n\n### Patches\nThe problem has been patched and the patch has been backported to Volto major versions down until 16. It is advised to upgrade to the latest patch release of your respective current major version:\n\n- Volto 16: [16.34.0](https://github.com/plone/volto/releases/tag/16.34.0)\n- Volto 17: [17.22.1](https://github.com/plone/volto/releases/tag/17.22.1)\n- Volto 18: [18.24.0](https://github.com/plone/volto/releases/tag/18.24.0)\n- Volto 19: [19.0.0-alpha4](https://github.com/plone/volto/releases/tag/19.0.0-alpha.4)\n\n### Workarounds\nMake sure your setup automatically restarts processes that quit with an error. This won\u0027t prevent a crash, but it minimises downtime.\n\n### Report\nThe problem was discovered by FHNW, a client of Plone provider kitconcept, who shared it with the Plone Zope Security Team (security@plone.org).",
  "id": "GHSA-xjhf-7833-3pm5",
  "modified": "2025-11-05T20:41:12Z",
  "published": "2025-08-28T15:34:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/plone/volto/security/advisories/GHSA-xjhf-7833-3pm5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58047"
    },
    {
      "type": "WEB",
      "url": "https://github.com/plone/volto/commit/2789a287ac45ad9039fb9161d465ba13241fff0a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/plone/volto"
    },
    {
      "type": "WEB",
      "url": "https://github.com/plone/volto/releases/tag/16.34.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/plone/volto/releases/tag/17.22.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/plone/volto/releases/tag/18.24.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/plone/volto/releases/tag/19.0.0-alpha.4"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/08/28/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Volto affected by possible DoS by invoking specific URL by anonymous user"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.