Fred Van Dijk

**Name of the Vulnerable Software and Affected Versions** plone.rest versions 2.0.0 through 2.0.1 plone.rest versions 3.0.0 through 3.0.1 **Description** The issue is related to the `++api++` traverser in plone.rest, which allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. in Plone. When the `++api++` traverser is accidentally used multiple times in a URL, handling it takes increasingly longer, making the server less responsive. This can be exploited to cause a denial of service. **Recommendations** For plone.rest versions 2.0.0 through 2.0.1, update to version 2.0.1 to resolve the issue. For plone.rest versions 3.0.0 through 3.0.1, update to version 3.0.1 to resolve the issue. As a temporary workaround, consider redirecting `/++api++/++api++` to `/++api++` in your frontend web server (nginx, Apache) to minimize the risk of exploitation.