MEDIUM 5.3

CVE-2026-44545: Daphne WebSocket Denial of Service via Unlimited Payload Size

Daphne, a popular ASGI application server for Django, contains a configuration flaw that leaves WebSocket connections vulnerable to denial-of-service attacks. Versions before 4.2.2 fail to enforce limits on WebSocket message and frame sizes, allowing unauthenticated attackers to send extremely large messages that consume server memory until the application becomes unresponsive. This occurs because Daphne does not pass payload size constraints to the underlying Autobahn WebSocket library, which defaults to unlimited sizes.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Weaknesses (CWE)
CWE-770
Affected products
1 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory consumption and a denial of service.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from missing parameter propagation in Daphne's WebSocket initialization. When Daphne instantiates Autobahn's WebSocketServerFactory, it does not pass the maxFramePayloadSize and maxMessagePayloadSize parameters. Autobahn interprets absent parameters as zero (unlimited), creating an unbounded memory allocation condition. An unauthenticated remote attacker can exploit this by sending crafted WebSocket frames or multi-frame messages of arbitrary size. Each oversized message triggers memory allocation on the server, leading to resource exhaustion and denial of service without requiring authentication, network-layer filtering, or user interaction.

Business impact

Applications using vulnerable Daphne versions that expose WebSocket endpoints face availability risk. A remote attacker can crash or severely degrade the application server, impacting all users relying on that service. This is particularly concerning for real-time applications (chat, notifications, live dashboards) that depend on WebSocket stability. Unlike vulnerabilities requiring authentication, this flaw is exploitable immediately upon network exposure, making it a practical attack vector for adversaries conducting service disruption campaigns.

Affected systems

Daphne versions prior to 4.2.2 are affected. Daphne is commonly deployed in Django environments, particularly in production setups using container orchestration or cloud platforms. Any organization running an older Daphne release with publicly or internally exposed WebSocket endpoints should be considered at risk. The vulnerability is network-based and requires no local access or special privileges to trigger.

Exploitability

Exploitability is straightforward. The attack requires only network access to the WebSocket endpoint—no authentication, no special configuration, no user interaction. An attacker can craft WebSocket frames exceeding typical memory limits using readily available tools and libraries. The low attack complexity and high accessibility make this a practical concern for internet-facing applications. However, the impact is limited to availability (memory exhaustion), not confidentiality or integrity, which moderates the overall severity.

Remediation

Upgrade Daphne to version 4.2.2 or later. The patched version properly passes payload size limits to Autobahn's WebSocketServerFactory, enabling the framework's built-in memory protections. Organizations should prioritize this upgrade for any Daphne deployment serving real-time or WebSocket-dependent applications. After upgrading, verify that payload limits are appropriately configured for your application's use case and monitor WebSocket connection metrics to detect potential attack attempts.

Patch guidance

Update to Daphne 4.2.2 or newer. Consult the official Daphne release notes and Django deployment documentation for upgrade procedures specific to your environment (pip, Docker, container orchestration, etc.). Test the upgrade in a staging environment first, particularly if you have applications with legitimate high-volume WebSocket traffic, to ensure the new payload limits do not interfere with normal operation. Verify the configuration after upgrade and consider implementing additional network-layer rate limiting or WAF rules for WebSocket endpoints as defense-in-depth.

Detection guidance

Monitor for unusual memory consumption or crashes in Daphne processes following WebSocket connection activity. Log WebSocket frame and message sizes at the application level if possible, and alert on messages exceeding expected thresholds. Network-based detection is challenging because the attack uses valid WebSocket protocol framing; focus on behavioral indicators such as rapid memory growth, process restarts, or connection timeouts. Check running Daphne versions using pip show or container image inspection to identify vulnerable deployments. Consider adding payload size validation at the application layer as a temporary measure until patching is complete.

Why prioritize this

Despite the MEDIUM severity rating, this vulnerability warrants near-term attention because it affects availability in real-time applications and requires no authentication or special configuration to exploit. Internet-facing WebSocket endpoints are directly exposed to unauthenticated attack. The fix is straightforward (a version upgrade) and carries low regression risk. Organizations should prioritize patching any production WebSocket services before patching lower-impact vulnerabilities.

Risk score, explained

The CVSS 3.1 score of 5.3 (MEDIUM) reflects the attack vector (network), low complexity, no privilege requirement, and no user interaction—all favoring exploitability. However, the impact is constrained to availability (memory exhaustion leading to denial of service), with no confidentiality or integrity compromise. The score appropriately reflects a practical but limited-scope threat. In context of WebSocket-dependent applications, organizations may apply additional business risk multipliers (service criticality, customer exposure) to justify accelerated patching.

Frequently asked questions

Does this vulnerability require the attacker to authenticate?

No. The flaw affects unauthenticated WebSocket connections. An attacker with network access to the WebSocket endpoint can exploit it immediately without credentials or any legitimate application interaction.

What happens if I do not upgrade Daphne?

Vulnerable versions remain susceptible to denial-of-service attacks. An attacker can send oversized WebSocket messages, forcing the server to allocate memory until it crashes or becomes unresponsive, disrupting the application for all users.

Can I mitigate this without upgrading?

Partial mitigation is possible through network-layer controls: implement rate limiting on WebSocket endpoints, restrict WebSocket access to trusted networks, or deploy a reverse proxy with message size validation. However, upgrading to 4.2.2 or later is the complete fix and strongly recommended.

Does this affect only production environments?

No. Any Daphne deployment—development, staging, or production—running a vulnerable version is technically affected. However, production and publicly exposed instances carry the highest risk and should be prioritized for upgrade.

This analysis is based on published CVE data and vendor advisories current as of the analysis date. Patch versions, availability, and deployment procedures should be verified against official vendor documentation and release notes before implementation. Security teams should conduct internal testing in non-production environments prior to deploying patches. This assessment does not constitute legal or contractual advice and is provided for informational purposes to support security decision-making. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).