CVE Catalog

CVE-2026-44545

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.33%

24th percentile - higher than 24% of all known CVEs

Summary

Daphne versions before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Autobahn defaults both values to 0 (unlimited), allowing an unauthenticated remote attacker to send arbitrarily large WebSocket messages or frames, leading to excessive memory consumption and denial of service.

Risk Assessment

The organization may be vulnerable to denial of service attacks, which could result in application downtime and increased resource consumption.

Recommendation

It is recommended to update Daphne to version 4.2.2 or later to mitigate this issue and configure appropriate limits for WebSocket messages.

Original NVD description (English source)

daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory consumption and a denial of service.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS