CVE-2025-51846 | THREATINT

Description

CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, unauthenticated attacker can significantly degrade or deny service for all users of a CryptPad instance. Fixed in 2026.2.2.

PUBLISHED Reserved 2025-06-16 | Published 2026-04-30 | Updated 2026-04-30 | Assigner cisa-cg

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-770 Allocation of Resources Without Limits or Throttling

Product status

Default status

affected

2025.3.1 (custom) before 2026.2.2

affected

2026.2.2

unaffected

Credits

John Perifanis, Unisystems

References

github.com/...anges/1e0c06ad8a0c5dab795f85f9730ec2693320c62e (url)

www.cve.org/CVERecord?id=CVE-2025-51846 (url)

raw.githubusercontent.com/...IT/white/2026/va-26-119-01.json (url)

github.com/...ad-cve-2025-51846-advisory/blob/main/README.md (url)

cve.org (CVE-2025-51846)

nvd.nist.gov (CVE-2025-51846)

Download JSON