Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable WebSocket endpoint, no auth or interaction, trivial oversized-frame trigger; impact is pure availability via memory exhaustion with no confidentiality or integrity loss.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
6Blast Radius
ecosystem impact- 93 pypi packages depend on daphne (45 direct, 50 indirect)
Ecosystem-wide dependent count for version 4.2.2.
DescriptionNVD
daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory consumption and a denial of service.
AnalysisAI
Denial of service in Django Daphne before 4.2.2 allows unauthenticated remote attackers to exhaust server memory by sending oversized WebSocket frames or messages. The flaw stems from Daphne failing to forward maxFramePayloadSize and maxMessagePayloadSize limits to the underlying Autobahn WebSocketServerFactory, which defaults both to unlimited. No public exploit identified at time of analysis, and EPSS is low (0.07%), but the CVSS:3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N) reflects easy network-reachable abuse against any deployment exposing WebSockets.
Technical ContextAI
Daphne is the official ASGI HTTP/WebSocket/HTTP2 server maintained by the Django project, commonly used to serve Django Channels applications. It delegates WebSocket protocol handling to Autobahn|Python's WebSocketServerFactory, which accepts maxFramePayloadSize and maxMessagePayloadSize parameters to bound per-frame and per-message buffer growth. Daphne did not pass these parameters through, so Autobahn fell back to its documented default of 0 (unlimited). This maps cleanly to CWE-770 (Allocation of Resources Without Limits or Throttling): the WebSocket read path accepts attacker-controlled payload sizes without an upper bound, allowing memory to grow until the process or host is starved. The CPE cpe:2.3:a:djangoproject:daphne:*:*:*:*:*:*:*:* confirms the affected product is the upstream djangoproject/daphne package.
RemediationAI
Upgrade to Daphne 4.2.2 or later, which passes maxFramePayloadSize and maxMessagePayloadSize through to Autobahn's WebSocketServerFactory; consult https://github.com/django/daphne/blob/main/CHANGELOG.txt for the release notes and https://nvd.nist.gov/vuln/detail/CVE-2026-44545 for the advisory. If immediate upgrade is not possible, place Daphne behind a reverse proxy (nginx, HAProxy, Envoy, or a CDN/WAF) configured to enforce a maximum WebSocket frame and message size - note this protects the Daphne process but may break legitimate clients that send large messages such as binary file uploads or media streams. As a secondary control, apply per-IP connection and bandwidth rate limits at the proxy or firewall to slow memory exhaustion attempts, and monitor Daphne worker RSS with alerting so an attack triggers restart/scale-out before the host OOMs.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34091
GHSA-rrc9-mx66-ffcm