GHSA-XJHF-7833-3PM5

Vulnerability from github – Published: 2025-08-28 15:34 – Updated: 2025-11-05 20:41
VLAI?
Summary
Volto affected by possible DoS by invoking specific URL by anonymous user
Details

Impact

When visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error.

Patches

The problem has been patched and the patch has been backported to Volto major versions down until 16. It is advised to upgrade to the latest patch release of your respective current major version:

Workarounds

Make sure your setup automatically restarts processes that quit with an error. This won't prevent a crash, but it minimises downtime.

Report

The problem was discovered by FHNW, a client of Plone provider kitconcept, who shared it with the Plone Zope Security Team (security@plone.org).

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@plone/volto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "16.34.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@plone/volto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "17.0.0"
            },
            {
              "fixed": "17.22.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@plone/volto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "18.0.0"
            },
            {
              "fixed": "18.24.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@plone/volto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.0.0-alpha.1"
            },
            {
              "fixed": "19.0.0-alpha.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-58047"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-28T15:34:28Z",
    "nvd_published_at": "2025-08-28T18:15:33Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nWhen visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error.\n\n### Patches\nThe problem has been patched and the patch has been backported to Volto major versions down until 16. It is advised to upgrade to the latest patch release of your respective current major version:\n\n- Volto 16: [16.34.0](https://github.com/plone/volto/releases/tag/16.34.0)\n- Volto 17: [17.22.1](https://github.com/plone/volto/releases/tag/17.22.1)\n- Volto 18: [18.24.0](https://github.com/plone/volto/releases/tag/18.24.0)\n- Volto 19: [19.0.0-alpha4](https://github.com/plone/volto/releases/tag/19.0.0-alpha.4)\n\n### Workarounds\nMake sure your setup automatically restarts processes that quit with an error. This won\u0027t prevent a crash, but it minimises downtime.\n\n### Report\nThe problem was discovered by FHNW, a client of Plone provider kitconcept, who shared it with the Plone Zope Security Team (security@plone.org).",
  "id": "GHSA-xjhf-7833-3pm5",
  "modified": "2025-11-05T20:41:12Z",
  "published": "2025-08-28T15:34:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/plone/volto/security/advisories/GHSA-xjhf-7833-3pm5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58047"
    },
    {
      "type": "WEB",
      "url": "https://github.com/plone/volto/commit/2789a287ac45ad9039fb9161d465ba13241fff0a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/plone/volto"
    },
    {
      "type": "WEB",
      "url": "https://github.com/plone/volto/releases/tag/16.34.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/plone/volto/releases/tag/17.22.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/plone/volto/releases/tag/18.24.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/plone/volto/releases/tag/19.0.0-alpha.4"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/08/28/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Volto affected by possible DoS by invoking specific URL by anonymous user"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.