N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-61668

GHSA ID

GHSA-m8rj-ppph-mj33

EPSS Score

CWE

CWE-476

Published

10/1/2025

Updated

10/1/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-61668

CVE-2025-61668: @plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user

Impact

When visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error.

Patches

The problem has been patched and the patch has been backported to Volto major versions down until 16. It is advised to upgrade to the latest patch release of your respective current major version:

Volto 16: 16.34.1
Volto 17: 17.22.2
Volto 18: 18.27.2
Volto 19: 19.0.0-alpha6

Workarounds

Make sure your setup automatically restarts processes that quit with an error. This won't prevent a crash, but it minimises downtime.

Report

The problem was discovered by FHNW, a client of Plone provider kitconcept, who shared it with the Plone Zope Security Team (security@plone.org).

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-61668

GHSA ID

GHSA-m8rj-ppph-mj33

EPSS Score

CWE

CWE-476

Published

10/1/2025

Updated

10/1/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@plone/volto	npm	< 16.34.1	16.34.1
@plone/volto	npm	>= 17.0.0, < 17.22.2	17.22.2
@plone/volto	npm	>= 18.0.0, < 18.27.2	18.27.2
@plone/volto	npm	>= 19.0.0-alpha.1, < 19.0.0-alpha.6	19.0.0-alpha.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a classic null pointer dereference within the error handling logic of an API middleware in a Node.js application. The provided patch 58d9f82d2d50ca9a87edbe16fed91762e57c109c clearly shows the fix. The original code error.response.body.message assumes that error.response and error.response.body will always be present in the error object. However, a specially crafted request can cause an API error where this is not the case. The patch introduces optional chaining (?.) to safely access the nested message property, preventing the server from crashing if parts of the error object are missing. This indicates that the apiMiddlewareFactory function is the source of the vulnerability, as it creates the middleware responsible for handling API requests and their potential errors. An attacker could exploit this by sending a request that they know will cause an error in a way that the middleware doesn't expect, leading to a server crash and a denial of service.

Vulnerable functions

apiMiddlewareFactory

packages/volto/src/middleware/api.js

The vulnerability lies within the error handling logic of the `apiMiddlewareFactory`. When an API request fails, the middleware attempts to access `error.response.body.message` without verifying if `error.response` or `error.response.body` exist. A malicious actor can craft a request that triggers an error where the response structure is unexpected, causing a `TypeError` (Cannot read properties of undefined) and crashing the Node.js server, resulting in a Denial of Service.

WAF Protection Rules

WAF Rule

### Imp**t W**n visitin* * sp**i*i* URL, *n *nonymous us*r *oul* **us* t** No**JS s*rv*r p*rt o* Volto to quit wit* *n *rror. ### P*t***s T** pro*l*m **s ***n p*t**** *n* t** p*t** **s ***n ***kport** to Volto m*jor v*rsions *own until **. It is **v

Reasoning

T** vuln*r**ility is * *l*ssi* null point*r **r***r*n** wit*in t** *rror **n*lin* lo*i* o* *n *PI mi**l*w*r* in * No**.js *ppli**tion. T** provi*** p*t** `****************************************` *l**rly s*ows t** *ix. T** ori*in*l *o** `*rror.r*spo

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-61668: @plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user

Impact

Patches

Workarounds

Report

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI