CVE-2025-51846: CryptPad Instance Denial-of-Service via WebSocket Flood
The National Vulnerability Database has identified CVE-2025-51846, a critical vulnerability in CryptPad versions prior to 2026.2.2. This flaw allows an unauthenticated remote attacker to conduct a WebSocket frame flood, potentially leading to a denial-of-service (DoS) condition. The impact can be severe, degrading or completely halting the service for all users on an affected CryptPad instance.
The severity of this vulnerability is rated High (CVSS 7.5), stemming from its exploitable nature over the network without requiring any prior authentication or privileges. Attackers can leverage this weakness to disrupt the availability of sensitive collaborative data hosted on compromised instances. Defenders must prioritize patching CryptPad deployments to the fixed version, 2026.2.2, to mitigate this risk.
What This Means For You
- If your organization self-hosts or manages CryptPad instances, you must immediately patch to version 2026.2.2 or later. Failure to do so leaves your users vulnerable to a denial-of-service attack that can render the service unusable, impacting collaboration and data access.
Related ATT&CK Techniques
🛡️ Detection Rules
1 rule · 6 SIEM formats1 detection rule auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2025-51846: CryptPad Unbounded WebSocket Frame Flood
title: CVE-2025-51846: CryptPad Unbounded WebSocket Frame Flood
id: scw-2026-04-30-ai-1
status: experimental
level: high
description: |
Detects potential exploitation of CVE-2025-51846 by identifying WebSocket connections initiated via /socket.io/ with specific query parameters ('EIO=4&transport=websocket') and an HTTP status code of 101 (Switching Protocols), indicative of a WebSocket upgrade. This rule specifically targets the initial connection phase that could lead to an unbounded frame flood, causing a denial-of-service.
author: SCW Feed Engine (AI-generated)
date: 2026-04-30
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2025-51846/
tags:
- attack.impact
- attack.t1499
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/socket.io/'
cs-method:
- 'GET'
sc-status:
- '101'
selection_base:
cs-uri-query|contains:
- 'EIO=4&transport=websocket'
condition: selection AND selection_base
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2025-51846 | Vulnerability | CVE-2025-51846 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 30, 2026 at 20:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-3833 — Gnutls Information Disclosure
CVE-2026-3833 — A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name`...
CVE-2026-36763 — The /Api/Blade-Desk/Notice/Submit Endpoint Of SpringBlade Cross-Site Scripting (XSS)
CVE-2026-36763 — A stored cross-site scripting (XSS) vulnerability in the /api/blade-desk/notice/submit endpoint of SpringBlade v4.8.0 allows attackers to execute arbitrary web scripts or HTML via...
CVE-2026-36761 — The /Msg/MsgInner/Save Endpoint Of JeeSite Cross-Site Scripting (XSS)
CVE-2026-36761 — A stored cross-site scripting (XSS) vulnerability in the /msg/msgInner/save endpoint of JeeSite v5.15.1 allows attackers to execute arbitrary web scripts or HTML via...