CVE-2025-61668: 
JavaScript vulnerability analysis and mitigation

Volto, a ReactJS-based frontend for the Plone Content Management System, was found to contain a vulnerability (CVE-2025-61668) affecting versions 16.34.0 and below, 17.0.0 through 17.22.1, 18.0.0 through 18.27.1, and 19.0.0-alpha.1 through 19.0.0-alpha.5. The vulnerability allowed anonymous users to cause the NodeJS server part of Volto to quit with an error when visiting a specific URL (Tenable CVE).

The vulnerability has been assessed as High severity with a CVSS v4 score of 8.7. The attack vector is Network-based with low complexity, requiring no special privileges or user interaction. The vulnerability primarily impacts system availability, with no direct effect on confidentiality or integrity. The attack can be executed remotely through network access (GitHub Advisory).

When successfully exploited, the vulnerability results in a denial of service condition where the NodeJS server component of Volto terminates with an error. This affects the availability of the system while having no impact on data confidentiality or integrity (GitHub Advisory).

The vulnerability has been patched in versions 16.34.1, 17.22.2, 18.27.2, and 19.0.0-alpha.6. Users are advised to upgrade to the latest patch release of their respective major version. As a temporary workaround, organizations can ensure their setup automatically restarts processes that quit with an error, though this won't prevent the crash but will minimize downtime (GitHub Advisory).

The vulnerability was initially discovered by FHNW, a client of Plone provider kitconcept, who responsibly disclosed it to the Plone Zope Security Team (GitHub Advisory).