GHSA-J9WF-6R2X-HQMX
Vulnerability from github – Published: 2026-02-19 22:07 – Updated: 2026-02-19 22:07
VLAI?
Summary
Centrifugo v6.6.0 dependency vulnerabilities
Details
Summary
Centrifugo v6.6.0 binary is compiled with Go 1.25.5 and
statically links github.com/quic-go/webtransport-go v0.9.0, having 7 known
CVEs
Go standard library — compiled with Go 1.25.5:
| CVE | Severity | CVSS | Fixed In |
|---|---|---|---|
| CVE-2025-68121 | CRITICAL | 10.0 | Go 1.25.7, 1.24.13 |
| CVE-2025-61726 | HIGH | 7.5 | Go 1.25.6, 1.24.12 |
| CVE-2025-61728 | MEDIUM | 6.5 | Go 1.25.6, 1.24.12 |
| CVE-2025-61730 | MEDIUM | 5.3 | Go 1.25.6, 1.24.12 |
Direct dependency github.com/quic-go/webtransport-go — pinned at v0.9.0
(go.mod line 34):
| CVE | Severity | CVSS | Fixed In |
|---|---|---|---|
| CVE-2026-21434 | MEDIUM | 5.3 | webtransport-go v0.10.0 |
| CVE-2026-21435 | MEDIUM | 5.3 | webtransport-go v0.10.0 |
| CVE-2026-21438 | MEDIUM | 5.3 | webtransport-go v0.10.0 |
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/centrifugal/centrifugo/v6"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-19T22:07:13Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary \n \n Centrifugo v6.6.0 binary is compiled with **Go 1.25.5** and \n statically links `github.com/quic-go/webtransport-go v0.9.0`, having **7 known \n CVEs**\n\n **Go standard library \u2014 compiled with Go 1.25.5:**\n\n | CVE | Severity | CVSS | Fixed In |\n |-----|----------|------|----------|\n | CVE-2025-68121 | **CRITICAL** | 10.0 | Go 1.25.7, 1.24.13 |\n | CVE-2025-61726 | HIGH | 7.5 | Go 1.25.6, 1.24.12 |\n | CVE-2025-61728 | MEDIUM | 6.5 | Go 1.25.6, 1.24.12 |\n | CVE-2025-61730 | MEDIUM | 5.3 | Go 1.25.6, 1.24.12 |\n\n **Direct dependency `github.com/quic-go/webtransport-go` \u2014 pinned at v0.9.0\n (`go.mod` line 34):**\n\n | CVE | Severity | CVSS | Fixed In |\n |-----|----------|------|----------|\n | CVE-2026-21434 | MEDIUM | 5.3 | webtransport-go v0.10.0 |\n | CVE-2026-21435 | MEDIUM | 5.3 | webtransport-go v0.10.0 |\n | CVE-2026-21438 | MEDIUM | 5.3 | webtransport-go v0.10.0 |",
"id": "GHSA-j9wf-6r2x-hqmx",
"modified": "2026-02-19T22:07:13Z",
"published": "2026-02-19T22:07:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/centrifugal/centrifugo/security/advisories/GHSA-j9wf-6r2x-hqmx"
},
{
"type": "PACKAGE",
"url": "https://github.com/centrifugal/centrifugo"
},
{
"type": "WEB",
"url": "https://github.com/centrifugal/centrifugo/releases/tag/v6.6.1"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Centrifugo v6.6.0 dependency vulnerabilities"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…