Volto security advisory 20251001

Text copied from plone.org advisory.

On behalf of the Plone Zope Security Team and the Volto team, we announce security releases for Volto, due to the following vulnerability:

Impact

When visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error.

Patches

The problem has been patched and the patch has been backported to Volto major versions down until 16. It is advised to upgrade to the latest patch release of your respective current major version:

• Volto 16: 16.34.1
• Volto 17: 17.22.2
• Volto 18: 18.27.2
• Volto 19: 19.0.0-alpha6

Workarounds

Make sure your setup automatically restarts processes that quit with an error. This won't prevent a crash, but it minimises downtime.

Report

The problem was discovered by FHNW, a client of Plone provider kitconcept, who shared it with the Plone Zope Security Team (security@plone.org).

Github Advisory

The same information was published to GitHub in this advisory.

If you using external images (photo), don’t update to 18.27.2 or 18.27.3

…

I fallback to the old version

With "external images" I thought you meant external Docker images or something. Apparently you mean something else.

For the benefit of others: see this issue he just opened: 18.27.2 can't add external image · Issue #7436 · plone/volto · GitHub

sorry I mean external photo, it mean paste a like of jpeg.

Issue gone after I rebuild the site with

Plone 6.1.3 released