Summary: The vulnerability in, which allows the use of HTTP verbs in Plone, causes the server to be less responsive when the ++api++ traverser is accidentally used multiple times. Patches are available, and a workaround is to redirect routes in a frontend web server.

Plone, the open-source content management system, uses to simplify the way it interacts with external applications and services. However, there is a vulnerability in versions (2.x branch and prior to 2..1 and 3..1) that has been assigned the identifier CVE-2023-42457, which makes the server less responsive when the ++api++ traverser is used multiple times accidentally. Note that series 1.x is not affected by this issue.

The issue lies in the handling of URLs with multiple occurrences of the ++api++ traverser. As the number of traversers increases, the time taken for the server to handle the request increases exponentially. This can lead to slow server response times, affecting the overall performance and user experience.

To illustrate the effect of this issue, consider the following code snippet

from import ++api++

def traverse_multiple_apis(request):
    resource = ++api++(request)
    resource = ++api++(resource)


In this code, the ++api++ traversals are used twice, resulting in an increased response time compared to when there is only one ++api++ traverser.

To address this vulnerability, patches have been released in 2..1 and 3..1. It is advised that users update to the latest versions of to prevent potential slowdowns.

- Plone Security Announcement
- Repository
- Release Notes

For users unable to update their version, a workaround is available. One may configure their frontend web server (such as nginx or Apache) to redirect /++api++/++api++ to /++api++. Here is an example configuration for nginx:

location ~ ^/++api++/++api++ {
    rewrite ^/++api++/++api++(/.*)$ /++api++$1 permanent;

location /++api++ {
    proxy_pass http://plone-backend;

In this configuration, any URL that has /++api++/++api++ will be rewritten to only /++api++, preventing the slowdown issue caused by multiple ++api++ traversers.

By applying the available patches or using the workaround mentioned above, one can mitigate the vulnerabilities of and ensure secure and efficient handling of HTTP requests in their Plone instances.


Published on: 09/21/2023 15:15:00 UTC
Last modified on: 09/25/2023 18:53:00 UTC