HIGH 7.5

PYSEC-2026-213

Details

daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory consumption and a denial of service.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / daphne

Introduced in: 0 Fixed in: 4.2.2

Fix pip install --upgrade 'daphne>=4.2.2'

References

https://github.com/django/daphne/blob/main/CHANGELOG.txt [ADVISORY]