Volto Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Volto, a React-based frontend for the Plone Content Management System. This issue affects versions 19.0.0-alpha.1 prior to 19.0.0-alpha.4, 18.0.0 prior to 18.24.0, 17.0.0 prior to 17.22.1, and versions prior to 16.34.0. The vulnerability allows an anonymous user to cause the NodeJS server component of Volto to crash with an error by visiting a specific URL. This issue has been reported by FHNW, a client of Plone provider kitconcept.

Impact

Exploitation of this vulnerability leads to a crash of the NodeJS server component, causing a denial-of-service condition.

Remediation

Users are advised to upgrade to Volto version 16.34.0, 17.22.1, 18.24.0, or 19.0.0-alpha.4. To minimize downtime, it is recommended to set up automatic restarts for processes that crash with an error.