GHSA-xjhf-7833-3pm5

Source

https://github.com/advisories/GHSA-xjhf-7833-3pm5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-xjhf-7833-3pm5/GHSA-xjhf-7833-3pm5.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-xjhf-7833-3pm5

Aliases

CVE-2025-58047

Published

2025-08-28T15:34:28Z

Modified

2025-08-28T18:52:10Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Volto affected by possible DoS by invoking specific URL by anonymous user

Details

Impact

When visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error.

Patches

The problem has been patched and the patch has been backported to Volto major versions down until 16. It is advised to upgrade to the latest patch release of your respective current major version:

Volto 16: 16.34.0
Volto 17: 17.22.1
Volto 18: 18.24.0
Volto 19: 19.0.0-alpha4

Workarounds

Make sure your setup automatically restarts processes that quit with an error. This won't prevent a crash, but it minimises downtime.

Report

The problem was discovered by FHNW, a client of Plone provider kitconcept, who shared it with the Plone Zope Security Team (security@plone.org).

Database specific

{
    "nvd_published_at": "2025-08-28T18:15:33Z",
    "github_reviewed_at": "2025-08-28T15:34:28Z",
    "cwe_ids": [
        "CWE-755"
    ],
    "severity": "HIGH",
    "github_reviewed": true
}

References