Executive Summary

CVE-2025-51846 is a vulnerability in CryptPad version 2025.3.1 that allows an unbounded WebSocket frame flood.

This means a remote, unauthenticated attacker can send a large number of valid WebSocket frames without limits, exploiting the lack of cumulative limits on data and fragments processed per connection.

Although individual WebSocket frames are checked for size, the overall number of frames or fragments is not limited, which can exhaust server resources such as CPU and memory.

As a result, the attacker can cause significant degradation or denial of service for all users of a CryptPad instance.

The issue is classified under CWE-770 (allocation of resources without limits or throttling) and was fixed in CryptPad version 2026.2.2.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can be exploited by a remote, unauthenticated attacker to significantly degrade or deny service to all users of a CryptPad instance.

By flooding the server with numerous valid WebSocket frames, the attacker can exhaust server CPU and memory resources.

This resource exhaustion can lead to service degradation, unavailability, or even crashes, preventing legitimate users from accessing the service.

The impact is a high-severity denial-of-service condition that affects availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves an unbounded WebSocket frame flood that can cause resource exhaustion on the CryptPad server. Detection involves monitoring for abnormal WebSocket traffic patterns, such as unusually high volumes of WebSocket frames or fragmented messages from unauthenticated sources.

Suggested detection methods include monitoring WebSocket connections for excessive frame rates or data volume per connection, and checking server resource usage (CPU and memory) for spikes correlated with WebSocket traffic.

While no specific commands are provided in the resources, typical commands to monitor WebSocket traffic and resource usage might include:

• Using network monitoring tools like tcpdump or Wireshark to capture and analyze WebSocket frames on the relevant ports.
• Using system monitoring commands such as `top`, `htop`, or `vmstat` to observe CPU and memory usage spikes.
• Checking web server logs or reverse proxy logs for unusually high numbers of WebSocket connection attempts or frame rates.

Useful 0 Not Useful 0

Mitigation Strategies

The primary and most effective mitigation is to upgrade CryptPad to version 2026.2.2 or later, where the vulnerability has been fixed.

Additional immediate mitigations include implementing rate limiting on WebSocket connections to prevent abuse, such as:

• Configuring reverse-proxy rate limiting (e.g., in nginx) to limit the number of WebSocket frames or requests per minute per IP.
• Setting per-IP connection limits to reduce the risk of a single attacker overwhelming the server.
• Applying cumulative per-connection byte/frame limits to restrict resource consumption.

Monitoring WebSocket traffic for abnormal patterns can also help detect and respond to ongoing attacks.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of the CryptPad WebSocket frame flood vulnerability (CVE-2025-51846) on compliance with common standards and regulations such as GDPR or HIPAA.

However, since the vulnerability allows a remote, unauthenticated attacker to cause denial of service or significant degradation of service, it could indirectly affect compliance by impacting availability requirements mandated by some regulations.

No explicit references to regulatory compliance implications or data protection concerns are mentioned in the available resources.

Useful 0 Not Useful 0