CVE-2025-51846

HIGH

CryptPad unbounded WebSocket frame flood

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-51846. PoCs published by JohnPerifanis.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2025-51846, a denial-of-service vulnerability in CryptPad's WebSocket implementation due to unbounded frame processing. It includes root cause analysis, impact assessment, and mitigation strategies but does not contain exploit code.

Description

CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, unauthenticated attacker can significantly degrade or deny service for all users of a CryptPad instance. Fixed in 2026.2.2.

Exploits (1)

github WRITEUP
by JohnPerifanis · poc
https://github.com/JohnPerifanis/cryptpad-cve-2025-51846-advisory

This repository provides a detailed technical analysis of CVE-2025-51846, a denial-of-service vulnerability in CryptPad's WebSocket implementation due to unbounded frame processing. It includes root cause analysis, impact assessment, and mitigation strategies but does not contain exploit code.

Classification
Writeup 100%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: CryptPad 2025.3.1 and later versions up to 2026.2.1
No auth needed
Prerequisites: Vulnerable CryptPad instance · WebSocket connection capability
devstral-2 · analyzed May 01, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 7.5
EPSS 0.0058
EPSS Percentile 42.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-770
Status published
Products (3)
CryptPad/CryptPad 2025.3.1 - 2026.2.2
CryptPad/CryptPad 2026.2.2
xwiki/cryptpad 2025.3.1 - 2026.2.2
Published Apr 30, 2026
Tracked Since Apr 30, 2026