Description
daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory consumption and a denial of service.
Published: 2026-06-03
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a limitation in Daphne’s WebSocket handling where, before version 4.2.2, Daphne did not forward the configured maximum frame or message payload sizes to Autobahn’s WebSocketServerFactory. Autobahn defaults both limits to zero, meaning unlimited sizes. Consequently an unauthenticated attacker could send extremely large WebSocket frames or messages, causing Daphne to allocate excessive memory and eventually become unresponsive, which is a classic denial of service scenario. This flaw is categorized as CWE‑770: Excessive Resource Consumption.

Affected Systems

The vulnerable product is Daphne, part of the Django project. All releases prior to 4.2.2 are affected. The specific product name is "Django Daphne" and the vendor identifier is djangoproject:daphne. No other vendors or product lines are impacted.

Risk and Exploitability

The CVSS score is 5.3, indicating a medium severity risk. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog, which suggests it is currently unproven or limited in exploit usage. The attack vector is likely an unauthenticated remote user establishing a WebSocket connection and sending oversized frames or messages. Achieving the denial requires only the ability to send data to a running Daphne instance; no authentication or privileged access is needed.

Generated by OpenCVE AI on June 3, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Daphne to version 4.2.2 or later.
  • If an upgrade is not immediately possible, configure Daphne or the underlying Autobahn library to enforce explicit limits on WebSocket frame and message payload sizes (e.g., set maxFramePayloadSize and maxMessagePayloadSize to reasonable values).
  • Limit access to the WebSocket endpoint to trusted network hosts or IP ranges to reduce exposure.

Generated by OpenCVE AI on June 3, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory consumption and a denial of service.
Title Unbounded WebSocket message and frame sizes can cause unauthenticated remote denial of service
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: DSF

Published:

Updated: 2026-06-03T13:17:42.907Z

Reserved: 2026-05-06T20:29:54.084Z

Link: CVE-2026-44545

cve-icon Vulnrichment

Updated: 2026-06-03T15:48:37.368Z

cve-icon NVD

Status : Received

Published: 2026-06-03T14:16:43.583

Modified: 2026-06-03T14:16:43.583

Link: CVE-2026-44545

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T16:00:16Z

Weaknesses