Fluid Attacks Database

Description

daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory consumption and a denial of service.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version
debian 11	python-daphne	=3.0.1-1 \|\| =3.0.2-1 \|\| =4.0.0-1 \|\| =4.1.2-1 \|\| =4.1.2-2 \|\| =4.2.1-1 \|\| =4.2.1-2
debian 13	python-daphne	=4.1.2-2 \|\| =4.2.1-1 \|\| =4.2.1-2
debian 12	python-daphne	=4.0.0-1 \|\| =4.1.2-1 \|\| =4.1.2-2 \|\| =4.2.1-1 \|\| =4.2.1-2
debian 14	python-daphne	=4.1.2-2 \|\| =4.2.1-1 \|\| =4.2.1-2

Aliases

1. CVE-2026-445452. NVD-2026-445453. OSV-DEBIAN-2026-445454. OSV-2026-445455. SECURITY-TRACKER-CVE-2026-44545

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.