PT-2026-60567 · Centrifugal · Centrifugo
CVE-2026-62963
·
Published
2026-07-16
·
Updated
2026-07-16
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Centrifugo is an open-source scalable real-time messaging server. Prior to 6.8.4, Centrifugo unidirectional WebSocket transport with uni websocket.compression enabled enforced uni websocket.message size limit against compressed wire-frame length in internal/websocket/conn.go advanceFrame, but ReadMessage used io.ReadAll after decompression without an output cap, allowing unauthenticated requests to /connection/uni websocket to trigger large memory and CPU consumption. This issue is fixed in version 6.8.4.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Centrifugo