CVE-2025-58047
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-28

Last updated on: 2025-11-04

Assigner: GitHub, Inc.

Description
Volto is a React based frontend for the Plone Content Management System. In versions from 19.0.0-alpha.1 to before 19.0.0-alpha.4, 18.0.0 to before 18.24.0, 17.0.0 to before 17.22.1, and prior to 16.34.0, an anonymous user could cause the NodeJS server part of Volto to quit with an error when visiting a specific URL. The problem has been patched in versions 16.34.0, 17.22.1, 18.24.0, and 19.0.0-alpha.4. To mitigate downtime, have setup automatically restart processes that quit with an error.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-28
Last Modified
2025-11-04
Generated
2026-06-16
AI Q&A
2025-08-28
EPSS Evaluated
2026-06-14
NVD
CVE-2025-58047
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
plone volto 17.22.1
plone volto 18.24.0
plone volto 19.0.0-alpha.4
plone volto 16.34.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-755 The product does not handle or incorrectly handles an exceptional condition.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-58047 is a high-severity denial-of-service (DoS) vulnerability in the NodeJS server component of the Volto frontend for the Plone CMS. An anonymous user can trigger this vulnerability by visiting a specific URL, which causes the Volto server process to crash with an error. This affects multiple versions of Volto prior to certain patched releases. The root cause involves a corner case in the server's handling of requests where a pathname variable can be null, leading to an unhandled error and server crash. [1, 2]

Impact Analysis

This vulnerability can cause the Volto server process to crash and become unavailable, resulting in a denial-of-service condition. Since the attack requires no authentication and can be triggered remotely by simply visiting a specific URL, it can lead to service downtime and disruption of availability for users relying on the Volto frontend. [1]

Detection Guidance

This vulnerability can be detected by monitoring for crashes of the Volto NodeJS server process when an anonymous user visits a specific URL that triggers the issue. Since the vulnerability causes the server to quit with an error, checking server logs for unexpected crashes or errors related to the devproxy middleware or pathname handling can help detect it. There are no specific commands provided to detect the vulnerability directly, but you can monitor the Volto server process status and logs. Additionally, testing access to the Volto frontend with an anonymous user visiting various URLs and observing if the server crashes can help identify the issue. [1]

Mitigation Strategies

The immediate recommended mitigation is to upgrade the Volto frontend to a patched version: 16.34.0, 17.22.1, 18.24.0, or 19.0.0-alpha.4, depending on your major version. As a workaround until you can upgrade, configure your environment to automatically restart the Volto server processes if they crash to minimize downtime, although this does not prevent the crash itself. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58047. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart