Fixed CVE-2026-44545: Limit WebSocket sizes in autobahn config.

carltongibson · carltongibson · commit 32f8be0fb0bf · 2026-06-03T12:47:03.000+02:00
Fixed a denial of service vulnerability via unbounded WebSocket message sizes. Daphne previously passed no message or frame size limits to autobahn, whose defaults are unbounded. This allowed an unauthenticated client to exhaust server memory by sending a very large WebSocket messages/frames (CVE-2026-44545). Both limits now default to 1 MiB and can be configured via the new ``--websocket-max-message-size`` and ``--websocket-max-frame-size`` CLI flags (or the matching ``Server`` constructor arguments). Pass ``0`` to restore the previous unlimited behaviour. Thanks to ParkHyunWoo for the report.
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
@@ -1,6 +1,19 @@
-4.2.2 (UNRELEASED)
+4.2.2 (2026-06-03)
 ------------------
 
+* Fixed a denial of service vulnerability via unbounded WebSocket message sizes.
+  Daphne previously passed no message or frame size limits to autobahn,
+  whose defaults are unbounded. This allowed an unauthenticated client
+  to exhaust server memory by sending a very large WebSocket
+  messages/frames (CVE-2026-44545).
+
+  Both limits now default to 1 MiB and can be configured via the new
+  ``--websocket-max-message-size`` and ``--websocket-max-frame-size`` CLI
+  flags (or the matching ``Server`` constructor arguments). Pass ``0`` to
+  restore the previous unlimited behaviour.
+  
+  Thanks to ParkHyunWoo for the report.
+
 * Fixed a header injection vulnerability on the WebSocket upgrade path
   (CVE-2026-44546).
 
diff --git a/daphne/cli.py b/daphne/cli.py
@@ -107,6 +107,22 @@ def __init__(self):
             help="The number of seconds before a WebSocket is closed if no response to a keepalive ping",
             default=30,
         )
+        self.parser.add_argument(
+            "--websocket-max-message-size",
+            type=int,
+            help="Maximum size, in bytes, of an incoming WebSocket message. "
+            "0 disables the limit (not recommended; allows unauthenticated "
+            "memory exhaustion).",
+            default=1024 * 1024,
+        )
+        self.parser.add_argument(
+            "--websocket-max-frame-size",
+            type=int,
+            help="Maximum size, in bytes, of a single incoming WebSocket frame. "
+            "0 disables the limit (not recommended; allows unauthenticated "
+            "memory exhaustion).",
+            default=1024 * 1024,
+        )
         self.parser.add_argument(
             "--application-close-timeout",
             type=int,
@@ -275,6 +291,8 @@ def run(self, args):
             websocket_timeout=args.websocket_timeout,
             websocket_connect_timeout=args.websocket_connect_timeout,
             websocket_handshake_timeout=args.websocket_connect_timeout,
+            websocket_max_message_size=args.websocket_max_message_size,
+            websocket_max_frame_size=args.websocket_max_frame_size,
             application_close_timeout=args.application_close_timeout,
             action_logger=(
                 AccessLogGenerator(access_log_stream) if access_log_stream else None
diff --git a/daphne/server.py b/daphne/server.py
@@ -63,6 +63,8 @@ def __init__(
         proxy_forwarded_proto_header=None,
         verbosity=1,
         websocket_handshake_timeout=5,
+        websocket_max_message_size=1024 * 1024,
+        websocket_max_frame_size=1024 * 1024,
         application_close_timeout=10,
         ready_callable=None,
         server_name="daphne",
@@ -83,6 +85,8 @@ def __init__(
         self.websocket_timeout = websocket_timeout
         self.websocket_connect_timeout = websocket_connect_timeout
         self.websocket_handshake_timeout = websocket_handshake_timeout
+        self.websocket_max_message_size = websocket_max_message_size
+        self.websocket_max_frame_size = websocket_max_frame_size
         self.application_close_timeout = application_close_timeout
         self.root_path = root_path
         self.verbosity = verbosity
@@ -104,6 +108,8 @@ def run(self):
             autoPingTimeout=self.ping_timeout,
             allowNullOrigin=True,
             openHandshakeTimeout=self.websocket_handshake_timeout,
+            maxMessagePayloadSize=self.websocket_max_message_size,
+            maxFramePayloadSize=self.websocket_max_frame_size,
         )
         if self.verbosity <= 1:
             # Redirect the Twisted log to nowhere
diff --git a/daphne/testing.py b/daphne/testing.py
@@ -18,12 +18,21 @@ class BaseDaphneTestingInstance:
     startup_timeout = 2
 
     def __init__(
-        self, xff=False, http_timeout=None, request_buffer_size=None, *, application
+        self,
+        xff=False,
+        http_timeout=None,
+        request_buffer_size=None,
+        websocket_max_message_size=None,
+        websocket_max_frame_size=None,
+        *,
+        application,
     ):
         self.xff = xff
         self.http_timeout = http_timeout
         self.host = "127.0.0.1"
         self.request_buffer_size = request_buffer_size
+        self.websocket_max_message_size = websocket_max_message_size
+        self.websocket_max_frame_size = websocket_max_frame_size
         self.application = application
 
     def get_application(self):
@@ -41,6 +50,10 @@ def __enter__(self):
             kwargs["proxy_forwarded_proto_header"] = "X-Forwarded-Proto"
         if self.http_timeout:
             kwargs["http_timeout"] = self.http_timeout
+        if self.websocket_max_message_size is not None:
+            kwargs["websocket_max_message_size"] = self.websocket_max_message_size
+        if self.websocket_max_frame_size is not None:
+            kwargs["websocket_max_frame_size"] = self.websocket_max_frame_size
         # Start up process
         self.process = DaphneProcess(
             host=self.host,
diff --git a/tests/test_websocket.py b/tests/test_websocket.py
@@ -267,6 +267,75 @@ def test_binary_frames(self):
                 "bytes": b"what is here? \xe2",
             }
 
+    def assert_oversized_frame_rejected(self, test_app):
+        """
+        Sends a 16-byte text frame and asserts the application sees only
+        connect + disconnect — i.e. autobahn dropped the connection (its
+        default failByDrop behaviour) before dispatching the payload.
+        """
+        test_app.add_send_messages([{"type": "websocket.accept"}])
+        sock, _ = self.websocket_handshake(test_app)
+        _, messages = test_app.get_received()
+        self.assert_valid_websocket_connect_message(messages[0])
+        self.websocket_send_frame(sock, "x" * 16)
+        deadline = time.time() + 2
+        final_messages = []
+        while time.time() < deadline:
+            _, final_messages = test_app.get_received()
+            if any(m["type"] == "websocket.disconnect" for m in final_messages):
+                break
+            time.sleep(0.05)
+        try:
+            sock.close()
+        except OSError:
+            pass
+        types = [m["type"] for m in final_messages]
+        self.assertEqual(
+            types,
+            ["websocket.connect", "websocket.disconnect"],
+            "Oversized frame should not have been delivered to the "
+            f"application, but got: {types}",
+        )
+
+    def test_websocket_max_message_size(self):
+        """
+        Tests that an incoming WebSocket message exceeding
+        ``websocket_max_message_size`` is rejected by autobahn before it
+        reaches the application.
+        """
+        # 16-byte frame > 8-byte message limit.
+        with DaphneTestingInstance(websocket_max_message_size=8) as test_app:
+            self.assert_oversized_frame_rejected(test_app)
+
+    def test_websocket_max_frame_size(self):
+        """
+        Tests that an incoming WebSocket frame exceeding
+        ``websocket_max_frame_size`` is rejected by autobahn before it
+        reaches the application, independently of the message size limit.
+        """
+        # Large message limit, so the frame size limit is what trips.
+        with DaphneTestingInstance(
+            websocket_max_frame_size=8,
+            websocket_max_message_size=1024 * 1024,
+        ) as test_app:
+            self.assert_oversized_frame_rejected(test_app)
+
+    def test_websocket_max_message_size_allows_under_limit(self):
+        """
+        Tests that messages under ``websocket_max_message_size`` are
+        delivered to the application unchanged.
+        """
+        with DaphneTestingInstance(websocket_max_message_size=64) as test_app:
+            test_app.add_send_messages([{"type": "websocket.accept"}])
+            sock, _ = self.websocket_handshake(test_app)
+            _, messages = test_app.get_received()
+            self.assert_valid_websocket_connect_message(messages[0])
+            test_app.add_send_messages(
+                [{"type": "websocket.send", "text": "ack"}]
+            )
+            self.websocket_send_frame(sock, "x" * 16)
+            assert self.websocket_receive_frame(sock) == "ack"
+
     def test_http_timeout(self):
         """
         Tests that the HTTP timeout doesn't kick in for WebSockets
