VYPR
Get started
← All advisories
High severityOSV Advisory· Published Oct 2, 2025· Updated Apr 15, 2026

CVE-2025-61668

CVE-2025-61668

Description

Volto is a ReactJS-based frontend for the Plone Content Management System. Versions 16.34.0 and below, 17.0.0 through 17.22.1, 18.0.0 through 18.27.1, and 19.0.0-alpha.1 through 19.0.0-alpha.5, an anonymous user could cause the NodeJS server part of Volto to quit with an error when visiting a specific URL. This issue is fixed in versions 16.34.1, 17.22.2, 18.27.2 and 19.0.0-alpha.6.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@plone/voltonpm
< 16.34.116.34.1
@plone/voltonpm
>= 17.0.0, < 17.22.217.22.2
@plone/voltonpm
>= 18.0.0, < 18.27.218.27.2
@plone/voltonpm
>= 19.0.0-alpha.1, < 19.0.0-alpha.619.0.0-alpha.6

Affected products

1

Patches

1
58d9f82d2d50

Added guard in API REDUX middleware (#7412) (#7413)

https://github.com/plone/voltoVíctor Fernández de AlbaSep 29, 2025via ghsa
commit
2 files changed · +2 1
  • packages/volto/news/7412.bugfix+1 0 added
    @@ -0,0 +1 @@
+Added guard in API REDUX middleware. @sneridagh
  • packages/volto/src/middleware/api.js+1 1 modified
    @@ -410,7 +410,7 @@ const apiMiddlewareFactory =
                 ...rest,
                 error,
                 statusCode: error.response,
-                message: error.response.body.message,
+                message: error.response?.body?.message,
                 connectionRefused: false,
                 type: SET_APIERROR,
               });

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.