PT-2026-60567 · Centrifugal · Centrifugo

CVE-2026-62963

·

Published

2026-07-16

·

Updated

2026-07-16

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Centrifugo is an open-source scalable real-time messaging server. Prior to 6.8.4, Centrifugo unidirectional WebSocket transport with uni websocket.compression enabled enforced uni websocket.message size limit against compressed wire-frame length in internal/websocket/conn.go advanceFrame, but ReadMessage used io.ReadAll after decompression without an output cap, allowing unauthenticated requests to /connection/uni websocket to trigger large memory and CPU consumption. This issue is fixed in version 6.8.4.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-62963

Affected Products

Centrifugo