Centrifugo v6.6.0: The Supply Chain Trojan Horse
Vulnerability ID: GHSA-J9WF-6R2X-HQMX
CVSS Score: 6.5
Published: 2026-02-19
A classic supply chain compromise affecting the Centrifugo real-time messaging server. Version v6.6.0 shipped with vulnerable third-party Go dependencies, effectively embedding critical flaws directly into the build artifact. This advisory highlights the risks of transitive dependencies in modern Go applications, where a single outdated package can turn a secure fortress into a house of cards.
TL;DR
Centrifugo v6.6.0 included vulnerable Go dependencies (likely networking or serialization libraries) in its release build. Attackers can exploit these underlying libraries to cause Denial of Service (DoS) or potentially execute code, despite the core Centrifugo code being secure. Fixed in v6.6.1 via dependency updates.
⚠️ Exploit Status: POC
Technical Details
- Attack Vector: Network (Remote)
- CVSS v3.1: 6.5 (Medium)
- Impact: Denial of Service / Potential RCE
- Affected Component: Third-party Go Dependencies (net, protobuf)
- CWE ID: CWE-1395
- Fix Version: v6.6.1
Affected Systems
- Centrifugo Server v6.6.0
- Go applications importing github.com/centrifugal/centrifugo/v6 at v6.6.0
-
Centrifugo: = 6.6.0 (Fixed in:
6.6.1)
Code Analysis
Commit: b47e530
Bump dependencies to fix vulnerabilities
go.mod updates
Mitigation Strategies
- Update Centrifugo immediately to v6.6.1 or later.
- Implement automated dependency scanning in CI/CD pipelines (e.g., govulncheck, Trivy).
- Restrict network access to the Centrifugo service using a WAF or load balancer to filter malformed HTTP/2 or WebSocket frames upstream.
Remediation Steps:
- Stop the running Centrifugo instance.
- Download the v6.6.1 binary or pull the
centrifugo/centrifugo:v6.6.1Docker image. - Verify the version with
centrifugo version. - Restart the service.
References
Read the full report for GHSA-J9WF-6R2X-HQMX on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)