๐Ÿ” CVE Alert

CVE-2026-62963

UNKNOWN 0.0

Centrifugo: Decompression bomb DoS via permessage-deflate in unidirectional WebSocket transport

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Centrifugo is an open-source scalable real-time messaging server. Prior to 6.8.4, Centrifugo unidirectional WebSocket transport with uni_websocket.compression enabled enforced uni_websocket.message_size_limit against compressed wire-frame length in internal/websocket/conn.go advanceFrame, but ReadMessage used io.ReadAll after decompression without an output cap, allowing unauthenticated requests to /connection/uni_websocket to trigger large memory and CPU consumption. This issue is fixed in version 6.8.4.

CWE CWE-409
Vendor centrifugal
Product centrifugo
Published Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for centrifugal centrifugo

Be the first to know when new unknown vulnerabilities affecting centrifugal centrifugo are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

centrifugal / centrifugo
< 6.8.4

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/centrifugal/centrifugo/security/advisories/GHSA-q6mr-3g59-5m8x github.com: https://github.com/centrifugal/centrifugo/pull/1162 github.com: https://github.com/centrifugal/centrifugo/commit/46d40e4ac3a5446c9745f8b219197166ae12a6e5 github.com: https://github.com/centrifugal/centrifugo/releases/tag/v6.8.4