Search
Find a vulnerability
Search criteria
4 vulnerabilities found for centrifugo by centrifugal
CVE-2026-62963 (GCVE-0-2026-62963)
Vulnerability from cvelistv5 – Published: 2026-07-16 19:34 – Updated: 2026-07-16 19:34
VLAI
EPSS
VEX
Title
Centrifugo: Decompression bomb DoS via permessage-deflate in unidirectional WebSocket transport
Summary
Centrifugo is an open-source scalable real-time messaging server. Prior to 6.8.4, Centrifugo unidirectional WebSocket transport with uni_websocket.compression enabled enforced uni_websocket.message_size_limit against compressed wire-frame length in internal/websocket/conn.go advanceFrame, but ReadMessage used io.ReadAll after decompression without an output cap, allowing unauthenticated requests to /connection/uni_websocket to trigger large memory and CPU consumption. This issue is fixed in version 6.8.4.
Severity
CWE
- CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/centrifugal/centrifugo/securit… | x_refsource_CONFIRM |
| https://github.com/centrifugal/centrifugo/pull/1162 | x_refsource_MISC |
| https://github.com/centrifugal/centrifugo/commit/… | x_refsource_MISC |
| https://github.com/centrifugal/centrifugo/release… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| centrifugal | centrifugo |
Affected:
< 6.8.4
|
{
"containers": {
"cna": {
"affected": [
{
"product": "centrifugo",
"vendor": "centrifugal",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Centrifugo is an open-source scalable real-time messaging server. Prior to 6.8.4, Centrifugo unidirectional WebSocket transport with uni_websocket.compression enabled enforced uni_websocket.message_size_limit against compressed wire-frame length in internal/websocket/conn.go advanceFrame, but ReadMessage used io.ReadAll after decompression without an output cap, allowing unauthenticated requests to /connection/uni_websocket to trigger large memory and CPU consumption. This issue is fixed in version 6.8.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-409",
"description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T19:34:48.882Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/centrifugal/centrifugo/security/advisories/GHSA-q6mr-3g59-5m8x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/centrifugal/centrifugo/security/advisories/GHSA-q6mr-3g59-5m8x"
},
{
"name": "https://github.com/centrifugal/centrifugo/pull/1162",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/centrifugal/centrifugo/pull/1162"
},
{
"name": "https://github.com/centrifugal/centrifugo/commit/46d40e4ac3a5446c9745f8b219197166ae12a6e5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/centrifugal/centrifugo/commit/46d40e4ac3a5446c9745f8b219197166ae12a6e5"
},
{
"name": "https://github.com/centrifugal/centrifugo/releases/tag/v6.8.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/centrifugal/centrifugo/releases/tag/v6.8.4"
}
],
"source": {
"advisory": "GHSA-q6mr-3g59-5m8x",
"discovery": "UNKNOWN"
},
"title": "Centrifugo: Decompression bomb DoS via permessage-deflate in unidirectional WebSocket transport"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-62963",
"datePublished": "2026-07-16T19:34:48.882Z",
"dateReserved": "2026-07-14T22:32:17.732Z",
"dateUpdated": "2026-07-16T19:34:48.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49998 (GCVE-0-2026-49998)
Vulnerability from cvelistv5 – Published: 2026-07-16 19:33 – Updated: 2026-07-16 19:33
VLAI
EPSS
VEX
Title
Centrifugo: Dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentication bypass
Summary
Centrifugo is an open-source scalable real-time messaging server. Prior to 6.8.1, Centrifugo dynamic JWKS endpoint verification could reuse a key for one allowed issuer to verify a JWT for another allowed issuer because the JWKS cache and singleflight lookup were keyed only by JWT header kid, not by the resolved JWKS endpoint, issuer, audience, or trust-domain namespace, affecting client.token.jwks_public_endpoint, client.subscription_token.jwks_public_endpoint, internal/jwks/cache.go, and internal/jwks/manager.go. This issue is fixed in version 6.8.1.
Severity
8.2 (High)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/centrifugal/centrifugo/securit… | x_refsource_CONFIRM |
| https://github.com/centrifugal/centrifugo/pull/1142 | x_refsource_MISC |
| https://github.com/centrifugal/centrifugo/commit/… | x_refsource_MISC |
| https://github.com/centrifugal/centrifugo/release… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| centrifugal | centrifugo |
Affected:
< 6.8.1
|
{
"containers": {
"cna": {
"affected": [
{
"product": "centrifugo",
"vendor": "centrifugal",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Centrifugo is an open-source scalable real-time messaging server. Prior to 6.8.1, Centrifugo dynamic JWKS endpoint verification could reuse a key for one allowed issuer to verify a JWT for another allowed issuer because the JWKS cache and singleflight lookup were keyed only by JWT header kid, not by the resolved JWKS endpoint, issuer, audience, or trust-domain namespace, affecting client.token.jwks_public_endpoint, client.subscription_token.jwks_public_endpoint, internal/jwks/cache.go, and internal/jwks/manager.go. This issue is fixed in version 6.8.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T19:33:33.147Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/centrifugal/centrifugo/security/advisories/GHSA-g6vg-wj8f-48cj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/centrifugal/centrifugo/security/advisories/GHSA-g6vg-wj8f-48cj"
},
{
"name": "https://github.com/centrifugal/centrifugo/pull/1142",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/centrifugal/centrifugo/pull/1142"
},
{
"name": "https://github.com/centrifugal/centrifugo/commit/15d785015c6f318c1b68ea40b813699c9f8bd2c4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/centrifugal/centrifugo/commit/15d785015c6f318c1b68ea40b813699c9f8bd2c4"
},
{
"name": "https://github.com/centrifugal/centrifugo/releases/tag/v6.8.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/centrifugal/centrifugo/releases/tag/v6.8.1"
}
],
"source": {
"advisory": "GHSA-g6vg-wj8f-48cj",
"discovery": "UNKNOWN"
},
"title": "Centrifugo: Dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentication bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-49998",
"datePublished": "2026-07-16T19:33:33.147Z",
"dateReserved": "2026-06-02T18:30:51.283Z",
"dateUpdated": "2026-07-16T19:33:33.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32301 (GCVE-0-2026-32301)
Vulnerability from cvelistv5 – Published: 2026-03-12 21:19 – Updated: 2026-03-13 13:09
VLAI
EPSS
VEX
Title
Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL
Summary
Centrifugo is an open-source scalable real-time messaging server. Prior to 6.7.0, Centrifugo is vulnerable to Server-Side Request Forgery (SSRF) when configured with a dynamic JWKS endpoint URL using template variables (e.g. {{tenant}}). An unauthenticated attacker can craft a JWT with a malicious iss or aud claim value that gets interpolated into the JWKS fetch URL before the token signature is verified, causing Centrifugo to make an outbound HTTP request to an attacker-controlled destination. This vulnerability is fixed in 6.7.0.
Severity
9.3 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/centrifugal/centrifugo/securit… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| centrifugal | centrifugo |
Affected:
< 6.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32301",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T13:09:43.696846Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T13:09:57.376Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "centrifugo",
"vendor": "centrifugal",
"versions": [
{
"status": "affected",
"version": "\u003c 6.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Centrifugo is an open-source scalable real-time messaging server. Prior to 6.7.0, Centrifugo is vulnerable to Server-Side Request Forgery (SSRF) when configured with a dynamic JWKS endpoint URL using template variables (e.g. {{tenant}}). An unauthenticated attacker can craft a JWT with a malicious iss or aud claim value that gets interpolated into the JWKS fetch URL before the token signature is verified, causing Centrifugo to make an outbound HTTP request to an attacker-controlled destination. This vulnerability is fixed in 6.7.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T21:19:03.862Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/centrifugal/centrifugo/security/advisories/GHSA-j77h-rr39-c552",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/centrifugal/centrifugo/security/advisories/GHSA-j77h-rr39-c552"
}
],
"source": {
"advisory": "GHSA-j77h-rr39-c552",
"discovery": "UNKNOWN"
},
"title": "Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32301",
"datePublished": "2026-03-12T21:19:03.862Z",
"dateReserved": "2026-03-11T21:16:21.658Z",
"dateUpdated": "2026-03-13T13:09:57.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32301 (GCVE-0-2026-32301)
Vulnerability from nvd – Published: 2026-03-12 21:19 – Updated: 2026-03-13 13:09
VLAI
EPSS
VEX
Title
Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL
Summary
Centrifugo is an open-source scalable real-time messaging server. Prior to 6.7.0, Centrifugo is vulnerable to Server-Side Request Forgery (SSRF) when configured with a dynamic JWKS endpoint URL using template variables (e.g. {{tenant}}). An unauthenticated attacker can craft a JWT with a malicious iss or aud claim value that gets interpolated into the JWKS fetch URL before the token signature is verified, causing Centrifugo to make an outbound HTTP request to an attacker-controlled destination. This vulnerability is fixed in 6.7.0.
Severity
9.3 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/centrifugal/centrifugo/securit… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| centrifugal | centrifugo |
Affected:
< 6.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32301",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T13:09:43.696846Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T13:09:57.376Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "centrifugo",
"vendor": "centrifugal",
"versions": [
{
"status": "affected",
"version": "\u003c 6.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Centrifugo is an open-source scalable real-time messaging server. Prior to 6.7.0, Centrifugo is vulnerable to Server-Side Request Forgery (SSRF) when configured with a dynamic JWKS endpoint URL using template variables (e.g. {{tenant}}). An unauthenticated attacker can craft a JWT with a malicious iss or aud claim value that gets interpolated into the JWKS fetch URL before the token signature is verified, causing Centrifugo to make an outbound HTTP request to an attacker-controlled destination. This vulnerability is fixed in 6.7.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T21:19:03.862Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/centrifugal/centrifugo/security/advisories/GHSA-j77h-rr39-c552",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/centrifugal/centrifugo/security/advisories/GHSA-j77h-rr39-c552"
}
],
"source": {
"advisory": "GHSA-j77h-rr39-c552",
"discovery": "UNKNOWN"
},
"title": "Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32301",
"datePublished": "2026-03-12T21:19:03.862Z",
"dateReserved": "2026-03-11T21:16:21.658Z",
"dateUpdated": "2026-03-13T13:09:57.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}