NodeJS Server Vulnerability in Volto Frontend for Plone CMS
CVE-2025-58047

7.5HIGH

Key Information:

Vendor

Plone

Status
Volto
Vendor
CVE Published:
28 August 2025

What is CVE-2025-58047?

A vulnerability in Volto, the React-based frontend for the Plone Content Management System, allows an anonymous user to crash the NodeJS server by accessing a specific URL. This issue affects various versions of Volto, and while it has been patched in the latest releases, it could lead to unexpected downtime if not properly managed. Users are advised to update to versions 16.34.0, 17.22.1, 18.24.0, or 19.0.0-alpha.4 to ensure that their installations are secure. Implementing process management strategies for automatic restarts can also help mitigate potential service interruptions.

Affected Version(s)

volto < 16.34.0 < 16.34.0

volto >= 17.0.0, < 17.22.1 < 17.0.0, 17.22.1

volto >= 18.0.0, < 18.24.0 < 18.0.0, 18.24.0

References

https://github.com/plone/volto/security/advisories/GHSA-x...
x_refsource_CONFIRM
https://github.com/plone/volto/commit/2789a287ac45ad9039f...
x_refsource_MISC
https://github.com/plone/volto/releases/tag/16.34.0
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-58047 : NodeJS Server Vulnerability in Volto Frontend for Plone CMS