CryptPad WebSocket Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in CryptPad version 2025.3.1. This issue allows a remote, unauthenticated attacker to flood the server with unbounded WebSocket frames, leading to significant resource exhaustion. The vulnerability causes high CPU and memory usage, disrupts the user interface, and can crash the service, especially in container-orchestrated deployments. The issue has been fixed in CryptPad version 2026.2.2.

Impact

Exploitation of this vulnerability causes full service unavailability by exhausting server resources through valid WebSocket traffic patterns. This leads to high CPU and memory usage, a non-responsive CryptPad user interface, failed document and session loading, and service crashes under heavy load.

Reproduction

The vulnerability can be reproduced by opening one or more WebSocket connections to a CryptPad instance running version 2025.3.1. Then, send repeated valid frames or fragmented messages that comply with WebSocket standards but cumulatively overload the server's resource processing. This can be done manually or with a script that simulates the WebSocket traffic pattern.

Remediation

Users should upgrade to CryptPad version 2026.2.2, which addresses the vulnerability. Additionally, consider implementing reverse-proxy rate limiting for WebSocket endpoints, per-IP connection limits, cumulative per-connection byte and frame limits, and monitoring for abnormal WebSocket traffic.