CryptPad Unauthenticated DoS Vulnerability Allows Remote Service Disruption via WebSocket Flood

A critical denial-of-service vulnerability in CryptPad versions through 2025.3.1 enables remote, unauthenticated attackers to flood WebSocket connections and degrade or deny service for all users of an affected instance. Tracked as CVE-2025-51846 with a CVSS score of 7.5 (High), the flaw carries significant availability impact under the CVSS 3.1 framework, classified as AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability was addressed in version 2026.2.2, and the Nixpkgs security tracker has flagged the issue as NIXPKGS-2026-1349 for downstream package maintainers.

The vulnerability stems from unbounded WebSocket frame handling in CryptPad, a collaborative office suite prioritizing end-to-end encryption. According to the GitHub disclosure and accompanying advisory by security researcher JohnPerifanis, the absence of rate limiting or connection caps on incoming WebSocket frames allows an external actor to exhaust server resources without authentication. This means any CryptPad deployment exposed to network access remains vulnerable to attacks requiring minimal technical门槛 from the attacker.

Administrators running CryptPad instances are urged to verify their current version and upgrade immediately to 2026.2.2 or later. The vulnerability has been patched in the upstream repository, with pull request #2239 documenting the changes addressing the frame flood condition. Package maintainers tracked under the Nixpkgs security ecosystem have been notified, though distribution-level patches may require additional propagation time.