CVE-2025-58047: DoS in Volto (Plone CMS)

["Maurits van Rees (Plone)" <maurits () plone org>]

A vulnerability has been discovered in Volto, the default NodeJS 
frontend for the Plone CMS.

### Impact

When visiting a specific URL, an anonymous user could cause the NodeJS 
server part of Volto to quit with an error.

### Patches

The problem has been patched and the patch has been backported to Volto 
major versions down until 16. It is advised to upgrade to the latest 
patch release of your respective current major version:

* Volto 16: [16.34.0](https://github.com/plone/volto/releases/tag/16.34.0)
* Volto 17: [17.22.1](https://github.com/plone/volto/releases/tag/17.22.1)
* Volto 18: [18.24.0](https://github.com/plone/volto/releases/tag/18.24.0)
* Volto 19: 
[19.0.0-alpha4](https://github.com/plone/volto/releases/tag/19.0.0-alpha.4)

### Workarounds

Make sure your setup automatically restarts processes that quit with an 
error. This won't prevent a crash, but it minimises downtime.

### Report

The problem was discovered by FHNW, a client of Plone provider 
kitconcept, who shared it with the Plone Zope Security Team 
(security () plone org).

### Github Advisory

The same information was published to GitHub in this 
[advisory](https://github.com/plone/volto/security/advisories/GHSA-xjhf-7833-3pm5).

Maurits van Rees
Plone/Zope Security Team