CVE-2026-44545
Daphne WebSocket Memory Exhaustion Flaw
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: Django Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| django | daphne | to 4.2.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Daphne ASGI server versions before 4.2.2. Daphne did not enforce limits on the size of WebSocket messages or frames when passing them to the Autobahn library. Autobahn defaults these sizes to unlimited (0), allowing an unauthenticated remote attacker to send arbitrarily large WebSocket messages or frames.
Because of this lack of size restriction, an attacker can cause excessive memory consumption on the server, leading to a denial of service (DoS) condition.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service (DoS) attack. An attacker can send very large WebSocket messages or frames to the server, which consumes excessive memory resources.
This excessive memory consumption can degrade server performance or cause the server to crash, making the service unavailable to legitimate users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the ability of an unauthenticated remote attacker to send arbitrarily large WebSocket messages or frames to a Daphne server before version 4.2.2, causing excessive memory consumption and denial of service.
Detection can involve monitoring WebSocket traffic for unusually large message or frame sizes that exceed typical usage patterns.
Since Daphne 4.2.2 introduced command-line flags to limit WebSocket message and frame sizes, you can check your Daphne server configuration for the presence or absence of these limits.
Specific commands to detect this vulnerability are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Daphne to version 4.2.2 or later where the issue is fixed.
Configure the WebSocket message and frame size limits using the new command-line flags or Server constructor arguments introduced in version 4.2.2:
- --websocket-max-message-size (default 1 MiB)
- --websocket-max-frame-size (default 1 MiB)
Avoid setting these values to 0, as that restores the previous unlimited behavior and leaves the server vulnerable.