Volto is a ReactJS-based frontend for the Plone Content Management System. Versions 16.34.0 and below, 17.0.0 through 17.22.1, 18.0.0 through 18.27.1, and 19.0.0-alpha.1 through 19.0.0-alpha.5, an anonymous user could cause the NodeJS server part of Volto to quit with an error when visiting a specific URL. This issue is fixed in versions 16.34.1, 17.22.2, 18.27.2 and 19.0.0-alpha.6.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Thu, 02 Oct 2025 22:00:00 +0000

Type Values Removed Values Added
Description Volto is a ReactJS-based frontend for the Plone Content Management System. Versions 16.34.0 and below, 17.0.0 through 17.22.1, 18.0.0 through 18.27.1, and 19.0.0-alpha.1 through 19.0.0-alpha.5, an anonymous user could cause the NodeJS server part of Volto to quit with an error when visiting a specific URL. This issue is fixed in versions 16.34.1, 17.22.2, 18.27.2 and 19.0.0-alpha.6.
Title @plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user
Weaknesses CWE-476
CWE-754
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2025-10-02T21:46:32.975Z

Reserved: 2025-09-29T20:25:16.180Z

Link: CVE-2025-61668

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2025-10-02T22:15:38.410

Modified: 2025-10-02T22:15:38.410

Link: CVE-2025-61668

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.