Cyber Resilience

CVE-2025-51846

HighPublic PoCDDoS

Published: 30 April 2026

Published
30 April 2026
Modified
04 May 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0058 43.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-51846 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Xwiki Cryptpad. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Direct Network Flood (T1498.001); ranked at the 43.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2025-51846 is an unbounded WebSocket frame flood vulnerability (CWE-770) affecting CryptPad version 2025.3.1. This flaw enables resource exhaustion due to a lack of limits or throttling on incoming WebSocket frames, published on 2026-04-30 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction or privileges required. Successful exploitation significantly degrades performance or fully denies service to all users of the affected CryptPad instance by flooding it with WebSocket frames.

The vulnerability is addressed in CryptPad version 2026.2.2. Mitigation details appear in the advisory at https://github.com/JohnPerifanis/cryptpad-cve-2025-51846-advisory/blob/main/README.md, the fixing pull request at https://github.com/cryptpad/cryptpad/pull/2239/changes/1e0c06ad8a0c5dab795f85f9730ec2693320c62e, CISA's CSAF document at https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-119-01.json, and the official CVE record at https://www.cve.org/CVERecord?id=CVE-2025-51846.

EU & UK References

Vulnerability details

CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, unauthenticated attacker can significantly degrade or deny service for all users of a CryptPad instance. Fixed in 2026.2.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1498.001 Direct Network Flood Impact
Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target.
Why these techniques?

Direct mapping to network DoS via unbounded WebSocket frame flooding (CWE-770 resource exhaustion).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40104Same vendor: Xwiki
CVE-2025-51991Same vendor: Xwiki
CVE-2025-55747Same vendor: Xwiki
CVE-2025-55727Same vendor: Xwiki
CVE-2025-55728Same vendor: Xwiki
CVE-2025-24893Same vendor: Xwiki
CVE-2026-33229Same vendor: Xwiki
CVE-2025-66474Same vendor: Xwiki
CVE-2025-29924Same vendor: Xwiki
CVE-2025-66024Same vendor: Xwiki

Affected Assets

xwiki
cryptpad
2025.3.1 — 2026.2.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly implements denial-of-service protections such as rate limiting or throttling to prevent unbounded WebSocket frame floods from causing resource exhaustion.

prevent

Requires timely identification, reporting, and correction of flaws like the unbounded WebSocket frame handling vulnerability in CryptPad.

prevent

Protects system resource availability from degradation due to excessive consumption by unauthenticated WebSocket frame flood attacks.

References