Which versions of CryptPad are affected by CVE-2025-51846?

CVE-2025-51846 is a high-severity denial-of-service vulnerability in CryptPad 2025.3.1 that allows any internet-connected attacker to disable service for all users by overwhelming WebSocket…. A patch is available.

How to fix or mitigate CVE-2025-51846?

Within 24 hours: Document all CryptPad 2025.3.1 instances in production and their criticality ranking. Within 7 days: Deploy nginx rate limiting configuration (30 requests/minute with burst=5) as interim mitigation on all CryptPad reverse proxies; monitor WebSocket connection logs for abuse patterns. Within 30 days: Upgrade to CryptPad 2026.2.2 or later to obtain vendor-supplied fixes.

CryptPad CVE-2025-51846

Q: What is the CVSS score of CVE-2025-51846?

CVE-2025-51846 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2025-209596 HIGH

Allocation of Resources Without Limits or Throttling (CWE-770)

2026-04-30 cisa-cg

Denial Of Service Cryptpad

8.7

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

8.7 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch released

May 04, 2026 - 16:52 nvd

Patch available

Apr 30, 2026 - 18:02 EUVD

Source Code Evidence Fetched

Apr 30, 2026 - 17:30 vuln.today

Analysis Generated

Apr 30, 2026 - 17:30 vuln.today

CVSS changed

Apr 30, 2026 - 17:22 NVD

7.5 (HIGH) 8.7 (HIGH)

EUVD ID Assigned

Apr 30, 2026 - 17:00 euvd

EUVD-2025-209596

Analysis Generated

Apr 30, 2026 - 17:00 vuln.today

CVE Published

Apr 30, 2026 - 16:35 nvd

HIGH 8.7

DescriptionCVE.org

CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, unauthenticated attacker can significantly degrade or deny service for all users of a CryptPad instance. Fixed in 2026.2.2.

AnalysisAI

Remote denial-of-service in CryptPad 2025.3.1 allows unauthenticated attackers to flood WebSocket frames and degrade or deny service for all users of an instance. The vulnerability stems from unbounded WebSocket connection handling without rate limiting. Fixed in version 2026.2.2 via nginx rate limiting configuration (30 requests/minute with burst=5). CVSS 8.7 (High) reflects network-accessible, low-complexity attack requiring no authentication. No CISA KEV listing or public exploit identified at time of analysis, but low technical barrier suggests high exploitability.

Technical ContextAI

CryptPad is an open-source collaborative office suite with end-to-end encryption. The vulnerability affects the WebSocket communication layer used for real-time collaboration features. CWE-770 (Allocation of Resources Without Limits or Throttling) indicates the server accepts unlimited WebSocket frame rates from individual clients. The fix implemented in PR #2239 adds nginx-level rate limiting using limit_req_zone with 30 requests per minute per client IP and a burst allowance of 5 connections. This mitigates resource exhaustion by constraining concurrent WebSocket frame floods. The affected CPE confirms all versions of CryptPad up to and including 2025.3.1 are vulnerable, with remediation available in 2026.2.2.

RemediationAI

Upgrade to CryptPad version 2026.2.2 or later, which includes nginx configuration changes implementing WebSocket rate limiting (30 requests/minute with burst=5). The patch is available via GitHub PR #2239 at https://github.com/cryptpad/cryptpad/pull/2239/changes/1e0c06ad8a0c5dab795f85f9730ec2693320c62e. Organizations unable to upgrade immediately should manually apply the nginx rate limiting configuration shown in the PR diff: add limit_req_zone directive with zone=wslimit:20m rate=30r/m, then apply limit_req zone=wslimit burst=5 nodelay to WebSocket endpoints. This workaround constrains per-IP connection rates but may impact legitimate users with high collaboration activity (trade-off: false positives for power users vs. availability protection). Monitor nginx error logs for 429 responses to tune burst values. No alternative mitigations identified-rate limiting at reverse proxy layer is the primary defense.

CVE-2025-51846 vulnerability details – vuln.today

Back