Description
CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, unauthenticated attacker can significantly degrade or deny service for all users of a CryptPad instance. Fixed in 2026.2.2.
Published: 2026-04-30
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CryptPad 2025.3.1 is vulnerable to an unbounded WebSocket frame flood that allows a remote, unauthenticated attacker to send unlimited frames to the server. This can make the system resource‑hungry and severely degrade or deny real‑time collaboration service for all users, effectively causing a denial of service. The flaw is a classic instance of the CWE‑770 weakness—unbounded resource consumption.

Affected Systems

The affected product is CryptPad for all instances running up to and including version 2025.3.1; the issue is resolved in version 2026.2.2 and later. All deployments not yet updated to the fixed release are susceptible.

Risk and Exploitability

The CVSS rating of 8.7 indicates high severity because the vulnerability does not require authentication and can be triggered from any network-connected client that can establish a WebSocket connection. The EPSS score is not available, and the flaw is not listed in CISA KEV, so the current exploitation probability is unknown, but the potential impact remains significant. An attacker can exploit the server by flooding it with large numbers of WebSocket frames, exhausting memory or CPU resources and forcing the instance to become unresponsive for all users.

Generated by OpenCVE AI on May 1, 2026 at 05:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to CryptPad version 2026.2.2 or later, which contains the fix for the unbounded WebSocket frame flood.
  • If an upgrade cannot be performed immediately, implement rate limiting on the WebSocket endpoint at the reverse proxy or application layer to prevent excessive frame transmission from a single client.
  • Configure monitoring and alerting for abnormal WebSocket traffic patterns, such as sudden spikes in frame size or connection count, to detect and respond to flood attempts promptly.

Generated by OpenCVE AI on May 1, 2026 at 05:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Xwiki
Xwiki cryptpad
CPEs cpe:2.3:a:xwiki:cryptpad:*:*:*:*:*:*:*:*
Vendors & Products Xwiki
Xwiki cryptpad

Fri, 01 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Cryptpad
Cryptpad cryptpad
Vendors & Products Cryptpad
Cryptpad cryptpad

Thu, 30 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, unauthenticated attacker can significantly degrade or deny service for all users of a CryptPad instance. Fixed in 2026.2.2.
Title CryptPad unbounded WebSocket frame flood
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Cryptpad Cryptpad
Xwiki Cryptpad
cve-icon MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published:

Updated: 2026-04-30T17:15:30.109Z

Reserved: 2025-06-16T03:28:36.966Z

Link: CVE-2025-51846

cve-icon Vulnrichment

Updated: 2026-04-30T17:15:26.160Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-30T17:16:25.467

Modified: 2026-05-04T16:52:11.783

Link: CVE-2025-51846

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:21:13Z

Weaknesses