VYPR
Get started
← All advisories
High severity7.5OSV Advisory· Published Aug 28, 2025· Updated Apr 15, 2026

CVE-2025-58047

CVE-2025-58047

Description

Volto is a React based frontend for the Plone Content Management System. In versions from 19.0.0-alpha.1 to before 19.0.0-alpha.4, 18.0.0 to before 18.24.0, 17.0.0 to before 17.22.1, and prior to 16.34.0, an anonymous user could cause the NodeJS server part of Volto to quit with an error when visiting a specific URL. The problem has been patched in versions 16.34.0, 17.22.1, 18.24.0, and 19.0.0-alpha.4. To mitigate downtime, have setup automatically restart processes that quit with an error.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@plone/voltonpm
< 16.34.016.34.0
@plone/voltonpm
>= 17.0.0, < 17.22.117.22.1
@plone/voltonpm
>= 18.0.0, < 18.24.018.24.0
@plone/voltonpm
>= 19.0.0-alpha.1, < 19.0.0-alpha.419.0.0-alpha.4

Affected products

1

Patches

5
3214ae4d331b

Release @plone/slate 19.0.0-alpha.4

https://github.com/plone/voltoVictor Fernandez de AlbaAug 25, 2025via osv
commit
3 files changed · +7 2
  • packages/volto-slate/CHANGELOG.md+6 0 modified
    @@ -8,6 +8,12 @@
 
 <!-- towncrier release notes start -->
 
+## 19.0.0-alpha.4 (2025-08-25)
+
+### Internal
+
+- Update @testing-library/react to 14.3.1. @wesleybl [#7260](https://github.com/plone/volto/issues/7260)
+
 ## 19.0.0-alpha.3 (2025-06-25)
 
 ### Bugfix
  • packages/volto-slate/news/7260.internal+0 1 removed
    @@ -1 +0,0 @@
-Update @testing-library/react to 14.3.1. @wesleybl
  • packages/volto-slate/package.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
   "name": "@plone/volto-slate",
-  "version": "19.0.0-alpha.3",
+  "version": "19.0.0-alpha.4",
   "description": "Slate.js integration with Volto",
   "main": "src/index.js",
   "author": "European Environment Agency: IDM2 A-Team",
31702f552aa6

Release 17.22.1

https://github.com/plone/voltoVictor Fernandez de AlbaAug 25, 2025via osv
commit
6 files changed · +16 4
  • CHANGELOG.md+7 0 modified
    @@ -17,6 +17,13 @@ myst:
 
 <!-- towncrier release notes start -->
 
+## 17.22.1 (2025-08-25)
+
+### Bugfix
+
+- fix(fetchContent): correctly handle undefined blocksType in async fetchContent @nileshgulia1 [#7112](https://github.com/plone/volto/issues/7112)
+- Fix corner case in devproxy when pathname is null. @sneridagh [#7276](https://github.com/plone/volto/issues/7276)
+
 ## 17.22.0 (2025-05-20)
 
 ### Feature
  • docs/source/release-notes/index.md+7 0 modified
    @@ -17,6 +17,13 @@ myst:
 
 <!-- towncrier release notes start -->
 
+## 17.22.1 (2025-08-25)
+
+### Bugfix
+
+- fix(fetchContent): correctly handle undefined blocksType in async fetchContent @nileshgulia1 [#7112](https://github.com/plone/volto/issues/7112)
+- Fix corner case in devproxy when pathname is null. @sneridagh [#7276](https://github.com/plone/volto/issues/7276)
+
 ## 17.22.0 (2025-05-20)
 
 ### Feature
  • news/7112.bugfix+0 1 removed
    @@ -1 +0,0 @@
-fix(fetchContent): correctly handle undefined blocksType in async fetchContent @nileshgulia1
\ No newline at end of file
  • news/7276.bugfix+0 1 removed
    @@ -1 +0,0 @@
-Fix corner case in devproxy when pathname is null. @sneridagh
  • package.json+1 1 modified
    @@ -9,7 +9,7 @@
     }
   ],
   "license": "MIT",
-  "version": "17.22.0",
+  "version": "17.22.1",
   "repository": {
     "type": "git",
     "url": "git@github.com:plone/volto.git"
  • packages/volto-slate/package.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
   "name": "@plone/volto-slate",
-  "version": "17.22.0",
+  "version": "17.22.1",
   "description": "Slate.js integration with Volto",
   "main": "src/index.js",
   "author": "European Environment Agency: IDM2 A-Team",
bf1a7ceacf23

Release 16.34.0

https://github.com/plone/voltoVictor Fernandez de AlbaAug 25, 2025via osv
commit
5 files changed · +12 4
  • CHANGELOG.md+10 0 modified
    @@ -8,6 +8,16 @@
 
 <!-- towncrier release notes start -->
 
+## 16.34.0 (2025-08-25)
+
+### Feature
+
+- Provide language alternate links @erral [#6615](https://github.com/plone/volto/issues/6615)
+
+### Bugfix
+
+- Fix corner case in devproxy when pathname is null. @sneridagh [#7276](https://github.com/plone/volto/issues/7276)
+
 ## 16.33.0 (2024-10-23)
 
 ### Feature
  • news/6615.feature+0 1 removed
    @@ -1 +0,0 @@
-Provide language alternate links @erral
  • news/7276.bugfix+0 1 removed
    @@ -1 +0,0 @@
-Fix corner case in devproxy when pathname is null. @sneridagh
  • package.json+1 1 modified
    @@ -9,7 +9,7 @@
     }
   ],
   "license": "MIT",
-  "version": "16.33.0",
+  "version": "16.34.0",
   "repository": {
     "type": "git",
     "url": "git@github.com:plone/volto.git"
  • packages/volto-slate/package.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
   "name": "@plone/volto-slate",
-  "version": "16.33.0",
+  "version": "16.34.0",
   "description": "Slate.js integration with Volto",
   "main": "src/index.js",
   "author": "European Environment Agency: IDM2 A-Team",
7591fff2e732

Release 18.24.0

https://github.com/plone/voltoVictor Fernandez de AlbaAug 25, 2025via osv
commit
11 files changed · +39 9
  • docs/source/release-notes/index.md+19 0 modified
    @@ -17,6 +17,25 @@ myst:
 
 <!-- towncrier release notes start -->
 
+## 18.24.0 (2025-08-25)
+
+### Feature
+
+- Complete missing catalan translations @rboixaderg [#7209](https://github.com/plone/volto/issues/7209)
+- Add support for single selection in SelectAutoComplete widget. @iFlameing [#7270](https://github.com/plone/volto/issues/7270)
+
+### Bugfix
+
+- Contents view: Label 'None' for deselecting needs to be different from 'None' of a not available value in the table. @ksuess [#7233](https://github.com/plone/volto/issues/7233)
+- UniversalLink: regression, pass on onClick to Link component. @fredvd [#7240](https://github.com/plone/volto/issues/7240)
+- Hide the `webstats_head_js` field in the site control panel form @erral [#7244](https://github.com/plone/volto/issues/7244)
+- Fix corner case in devproxy when pathname is null. @sneridagh [#7276](https://github.com/plone/volto/issues/7276)
+
+### Internal
+
+- Update eslint-config-prettier past malware versions to "^9.1.2". @kittauri [#7254](https://github.com/plone/volto/issues/7254)
+- Test with Plone 6.1.2. @davisagli 
+
 ## 18.23.0 (2025-06-12)
 
 ### Feature
  • packages/volto/CHANGELOG.md+19 0 modified
    @@ -17,6 +17,25 @@ myst:
 
 <!-- towncrier release notes start -->
 
+## 18.24.0 (2025-08-25)
+
+### Feature
+
+- Complete missing catalan translations @rboixaderg [#7209](https://github.com/plone/volto/issues/7209)
+- Add support for single selection in SelectAutoComplete widget. @iFlameing [#7270](https://github.com/plone/volto/issues/7270)
+
+### Bugfix
+
+- Contents view: Label 'None' for deselecting needs to be different from 'None' of a not available value in the table. @ksuess [#7233](https://github.com/plone/volto/issues/7233)
+- UniversalLink: regression, pass on onClick to Link component. @fredvd [#7240](https://github.com/plone/volto/issues/7240)
+- Hide the `webstats_head_js` field in the site control panel form @erral [#7244](https://github.com/plone/volto/issues/7244)
+- Fix corner case in devproxy when pathname is null. @sneridagh [#7276](https://github.com/plone/volto/issues/7276)
+
+### Internal
+
+- Update eslint-config-prettier past malware versions to "^9.1.2". @kittauri [#7254](https://github.com/plone/volto/issues/7254)
+- Test with Plone 6.1.2. @davisagli 
+
 ## 18.23.0 (2025-06-12)
 
 ### Feature
  • packages/volto/news/7209.feature+0 1 removed
    @@ -1 +0,0 @@
-Complete missing catalan translations @rboixaderg
\ No newline at end of file
  • packages/volto/news/7233.bugfix+0 1 removed
    @@ -1 +0,0 @@
-Contents view: Label 'None' for deselecting needs to be different from 'None' of a not available value in the table. @ksuess
\ No newline at end of file
  • packages/volto/news/7240.bugfix+0 1 removed
    @@ -1 +0,0 @@
-UniversalLink: regression, pass on onClick to Link component. @fredvd
\ No newline at end of file
  • packages/volto/news/7244.bugfix+0 1 removed
    @@ -1 +0,0 @@
-Hide the `webstats_head_js` field in the site control panel form @erral
\ No newline at end of file
  • packages/volto/news/7254.internal+0 1 removed
    @@ -1 +0,0 @@
-Update eslint-config-prettier past malware versions to "^9.1.2". @kittauri 
\ No newline at end of file
  • packages/volto/news/7270.feature+0 1 removed
    @@ -1 +0,0 @@
-Add support for single selection in SelectAutoComplete widget. @iFlameing
\ No newline at end of file
  • packages/volto/news/7276.bugfix+0 1 removed
    @@ -1 +0,0 @@
-Fix corner case in devproxy when pathname is null. @sneridagh
  • packages/volto/news/+plone612.internal+0 1 removed
    @@ -1 +0,0 @@
-Test with Plone 6.1.2. @davisagli
  • packages/volto/package.json+1 1 modified
    @@ -9,7 +9,7 @@
     }
   ],
   "license": "MIT",
-  "version": "18.23.0",
+  "version": "18.24.0",
   "repository": {
     "type": "git",
     "url": "git@github.com:plone/volto.git"
2789a287ac45

Fix corner case in devproxy when pathname is null (#7276)

https://github.com/plone/voltoVíctor Fernández de AlbaAug 25, 2025via ghsa
commit
2 files changed · +8 2
  • packages/volto/news/7276.bugfix+1 0 added
    @@ -0,0 +1 @@
+Fix corner case in devproxy when pathname is null. @sneridagh
  • packages/volto/src/express-middleware/devproxy.js+7 2 modified
    @@ -10,8 +10,13 @@ import querystring from 'querystring';
 import { parse as parseUrl } from 'url';
 
 const filter = function (pathname, req) {
-  // This is the proxy to the API in case the accept header is 'application/json'
-  return config.settings.devProxyToApiPath && pathname.startsWith('/++api++');
+  // Check if pathname is defined, there are some corner cases that pathname is null
+  if (pathname) {
+    // This is the proxy to the API in case the accept header is 'application/json'
+    return config.settings.devProxyToApiPath && pathname.startsWith('/++api++');
+  } else {
+    return false;
+  }
 };
 
 let _env = null;

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.