CVE-2025-51846

Summary

CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, unauthenticated attacker can significantly degrade or deny service for all users of a CryptPad instance. Fixed in 2026.2.2.

Affected Software

VendorProductVersion RangeStatus
CryptPadCryptPad2025.3.1 < 2026.2.2affected
CryptPadCryptPad2026.2.2unaffected

Weaknesses

  • CWE-770: CWE-770 Allocation of Resources Without Limits or Throttling

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References