Vulnerability DatabaseCVE-2025-58047

CVE-2025-58047:
JavaScript vulnerability analysis and mitigation

Overview

CVE-2025-58047 is a high-severity denial-of-service (DoS) vulnerability discovered in Volto, the ReactJS-based frontend of the Plone Content Management System (CMS). The vulnerability was disclosed on August 28, 2025, affecting Volto versions from 19.0.0-alpha.1 to before 19.0.0-alpha.4, 18.0.0 to before 18.24.0, 17.0.0 to before 17.22.1, and prior to 16.34.0. Volto serves as the default frontend for Plone 6, providing an intuitive, ReactJS-driven editing and user experience (Daily CyberSecurity, NVD).

Technical details

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The technical issue involves a corner case in the devproxy component where an anonymous user could cause the NodeJS server part of Volto to crash by visiting a specific URL. The vulnerability is classified under CWE-755 (Improper Handling of Exceptional Conditions) (GitHub Advisory, NVD).

Impact

When successfully exploited, this vulnerability allows an unauthenticated attacker to cause a denial of service by making the NodeJS server component of Volto quit with an error. This can result in service disruption and potential downtime for websites running affected versions of Volto (OSS Security, Daily CyberSecurity).

Mitigation and workarounds

The vulnerability has been patched in Volto versions 16.34.0, 17.22.1, 18.24.0, and 19.0.0-alpha.4. Users are strongly advised to upgrade to these patched versions. As a temporary workaround for systems that cannot be immediately updated, administrators should ensure their setup automatically restarts processes that quit with an error. While this won't prevent the crash, it helps minimize downtime (OSS Security, GitHub Advisory).

Community reactions

The vulnerability was initially discovered by FHNW, a client of Plone provider kitconcept, who responsibly disclosed it to the Plone Zope Security Team. The security team promptly addressed the issue by developing and backporting patches to all supported versions of Volto (GitHub Advisory).

Additional resources

Source: This report was generated using AI

Related JavaScript vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-55182	CRITICAL	10	JavaScript	react-server-dom-webpack	No	Yes	Dec 03, 2025
CVE-2025-66032	HIGH	8.7	JavaScript	@anthropic-ai/claude-code	No	Yes	Dec 03, 2025
CVE-2025-66412	HIGH	8.5	JavaScript	@angular/compiler	No	Yes	Dec 01, 2025
CVE-2025-66415	MEDIUM	6.9	JavaScript	@fastify/reply-from	No	Yes	Dec 01, 2025
CVE-2025-66404	MEDIUM	6.4	JavaScript	mcp-server-kubernetes	No	Yes	Dec 03, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2025-58047: JavaScript vulnerability analysis and mitigation