{"id":"CVE-2025-51846","summary":"CryptPad unbounded WebSocket frame flood","details":"CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, unauthenticated attacker can significantly degrade or deny service for all users of a CryptPad instance. Fixed in 2026.2.2.","modified":"2026-07-15T01:48:51.980125523Z","published":"2026-04-30T16:35:59.625Z","database_specific":{"cwe_ids":["CWE-770"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/51xxx/CVE-2025-51846.json","cna_assigner":"cisa-cg"},"references":[{"type":"WEB","url":"https://github.com/cryptpad/cryptpad/pull/2239/changes/1e0c06ad8a0c5dab795f85f9730ec2693320c62e"},{"type":"WEB","url":"https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-119-01.json"},{"type":"WEB","url":"https://www.cve.org/CVERecord?id=CVE-2025-51846"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/51xxx/CVE-2025-51846.json"},{"type":"ADVISORY","url":"https://github.com/JohnPerifanis/cryptpad-cve-2025-51846-advisory/blob/main/README.md"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-51846"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cryptpad/cryptpad","events":[{"introduced":"e24be2c8734a5405366ce4b1ce1014d2301e1e7e"},{"fixed":"9004ad2dd1b40d571b25f66dfe968606233f51a8"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"2025.3.1"},{"fixed":"2026.2.2"}]}}],"versions":["2025.9.0","2025.6.0","2025.3.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-51846.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}