daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory consumption and a denial of service.
{
"severity": "MODERATE",
"github_reviewed": true,
"nvd_published_at": "2026-06-03T14:16:43Z",
"cwe_ids": [
"CWE-770"
],
"github_reviewed_at": "2026-07-11T22:53:32Z"
}