A Single URL Can Crash Your Website: Critical DoS Flaw (CVE-2025-58047) Found in Volto CMS

The Plone Zope Security Team has released an advisory addressing a denial-of-service (DoS) vulnerability in Volto, the ReactJS-based frontend of the Plone Content Management System (CMS). Tracked as CVE-2025-58047, the flaw has been given a CVSS score of 7.5, marking it as a high-severity issue.

Volto is the default frontend for Plone 6, offering an intuitive, ReactJS-driven editing and user experience. Plone is a CMS built on Python with more than 20 years of history and experience. Plone has features that appeal to developers and users alike, such as an intuitive editing interface, customizable content types, hierarchical organization, and a sophisticated permissions model.

This flexibility has made Plone and Volto popular for both small websites and enterprise-grade intranets.

The advisory describes the issue as follows: “DoS possible by invoking specific URL by anonymous user.” When a maliciously crafted request is sent, “an anonymous user could cause the NodeJS server part of Volto to quit with an error.”

This means that even unauthenticated users can crash the Volto frontend, resulting in downtime and potential disruption of web services.

The vulnerability has been patched, and the security team has backported fixes across all supported Volto major versions. Users are strongly advised to upgrade to the latest patch release of their respective major version:

• Volto 16 → 16.34.0
• Volto 17 → 17.22.1
• Volto 18 → 18.24.0
• Volto 19 → 19.0.0-alpha4

The patched versions are available on the Volto GitHub releases page.

For administrators unable to patch immediately, the advisory recommends a partial mitigation: “Make sure your setup automatically restarts processes that quit with an error. This won’t prevent a crash, but it minimises downtime.”

While this does not stop exploitation attempts, it helps reduce the service disruption caused by repeated crashes.

Related Posts:

• CVE-2022-23131: Zabbix Frontend Authentication Bypass Vulnerability Alert
• WordPress Releases Urgent Security Patch – Update Immediately!
• Security Expert Announces PoC to Crashes All Recent Windows
• CISA Adds 5 Actively Exploited Vulnerabilities to KEV Catalog: ASUS Routers, Craft CMS, and ConnectWise Targeted