CVE-2026-44545
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk24th percentile - higher than 24% of all known CVEs
Summary
Daphne versions before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Autobahn defaults both values to 0 (unlimited), allowing an unauthenticated remote attacker to send arbitrarily large WebSocket messages or frames, leading to excessive memory consumption and denial of service.
Risk Assessment
The organization may be vulnerable to denial of service attacks, which could result in application downtime and increased resource consumption.
Recommendation
It is recommended to update Daphne to version 4.2.2 or later to mitigate this issue and configure appropriate limits for WebSocket messages.
Original NVD description (English source)
daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory consumption and a denial of service.

