CVE-2025-51846 - Vulnerability Analysis
HighCVSS: 7.5Last Updated: April 30, 2026
CryptPad - Denial of Service
Published: April 30, 2026Updated: April 30, 2026PoC AvailableRemote Exploitable
Overview
CryptPad 2025.3.1 contains a denial of service caused by unbounded WebSocket frame flood, letting remote unauthenticated attackers degrade or deny service for all users, exploit requires no special privileges.
Severity & Score
Severity: High
CVSS Score: 7.5
Impact
Remote attackers can cause service degradation or denial of service for all users.
Mitigation
Update to version 2026.2.2 or later.
References
- https://github.com/cryptpad/cryptpad/pull/2239/changes/1e0c06ad8a0c5dab795f85f9730ec2693320c62e
- https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-119-01.json
- https://www.cve.org/CVERecord?id=CVE-2025-51846
- https://github.com/JohnPerifanis/cryptpad-cve-2025-51846-advisory/blob/main/README.md
Related Resources
Details
- CVE ID
- CVE-2025-51846
- Severity
- High
- CVSS Score
- 7.5
- Type
- denial_of_service
- Status
- unconfirmed
CWE
- CWE-770
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H