High severity7.5NVD Advisory· Published Apr 30, 2026· Updated May 4, 2026
CVE-2025-51846
CVE-2025-51846
Description
CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, unauthenticated attacker can significantly degrade or deny service for all users of a CryptPad instance. Fixed in 2026.2.2.
Affected products
2Patches
16dacfef67a5eMerge remote-tracking branch 'origin/nginx-ratelimit' into 2026.2.1-rc
1 file changed · +7 −0
docs/example-advanced.nginx.conf+7 −0 modified@@ -23,6 +23,9 @@ server { return 301 https://$host$request_uri; } +# Websocket connections rate limiting +limit_req_zone $binary_remote_addr zone=wslimit:20m rate=30r/m; + server { listen 443 ssl; listen [::]:443 ssl; @@ -190,6 +193,10 @@ server { # We prefer to serve static content from nginx directly and to leave the API server to handle # the dynamic content that only it can manage. This is primarily an optimization location ^~ /cryptpad_websocket { + # Websocket connections rate limiting + limit_req zone=wslimit burst=5 nodelay; + limit_req_status 429; + # XXX # static assets like blobs and blocks are served by clustered workers in the API server # Websocket traffic still needs to be handled by the main process, which means it needs
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/cryptpad/cryptpad/pull/2239/changes/1e0c06ad8a0c5dab795f85f9730ec2693320c62envdPatch
- github.com/JohnPerifanis/cryptpad-cve-2025-51846-advisory/blob/main/README.mdnvdExploitThird Party Advisory
- raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-119-01.jsonnvdThird Party Advisory
- www.cve.org/CVERecordnvdThird Party Advisory
News mentions
0No linked articles in our index yet.