Skip to main content

Centrifugo CVE-2026-62963

| EUVDEUVD-2026-45016 HIGH
Improper Handling of Highly Compressed Data (Data Amplification) (CWE-409)
2026-07-16 GitHub_M
8.7
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable endpoint (AV:N/PR:N/UI:N) with a simple crafted frame (AC:L); impact is pure availability exhaustion (A:H) with no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Jul 16, 2026 - 22:19 EUVD
Source Code Evidence Fetched
Jul 16, 2026 - 20:18 vuln.today
Analysis Generated
Jul 16, 2026 - 20:18 vuln.today
CVE Published
Jul 16, 2026 - 19:34 cve.org
HIGH 8.7

DescriptionCVE.org

Centrifugo is an open-source scalable real-time messaging server. Prior to 6.8.4, Centrifugo unidirectional WebSocket transport with uni_websocket.compression enabled enforced uni_websocket.message_size_limit against compressed wire-frame length in internal/websocket/conn.go advanceFrame, but ReadMessage used io.ReadAll after decompression without an output cap, allowing unauthenticated requests to /connection/uni_websocket to trigger large memory and CPU consumption. This issue is fixed in version 6.8.4.

AnalysisAI

Uncontrolled memory and CPU exhaustion in Centrifugo real-time messaging server before 6.8.4 lets unauthenticated attackers send a small compressed WebSocket frame to the unidirectional transport that inflates into a massive decompressed payload. The message_size_limit was only checked against compressed wire bytes, while decompressed output was read via io.ReadAll with no cap, enabling a classic decompression bomb denial of service. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach uni_websocket endpoint unauthenticated
Delivery
Negotiate permessage-deflate compression
Exploit
Send tiny high-ratio compressed frame
Execution
Server decompresses without output cap
Persist
Memory and CPU exhausted
Impact
Service degraded or crashes (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target run the unidirectional WebSocket transport with uni_websocket.compression explicitly enabled - this is the exact precondition named in the description, and instances with compression disabled are not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H) scores 8.7 and is internally consistent with the description: network-reachable, low complexity, unauthenticated, with a pure availability impact and no confidentiality or integrity loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker who can reach a Centrifugo instance's /connection/uni_websocket endpoint negotiates permessage-deflate compression and sends a highly compressible frame (e.g. a few kilobytes of repeated bytes) that stays under message_size_limit on the wire. …
Remediation Vendor-released patch: upgrade to Centrifugo 6.8.4 (https://github.com/centrifugal/centrifugo/releases/tag/v6.8.4), which adds a decompressed_message_size_limit cap for the WebSocket and uni_websocket transports; per the advisory GHSA-q6mr-3g59-5m8x and PR https://github.com/centrifugal/centrifugo/pull/1162 (commit 46d40e4ac3a5446c9745f8b219197166ae12a6e5) the limit defaults to message_size_limit times 10 when left at zero. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all Centrifugo deployments and verify which versions are in use, particularly any running before version 6.8.4. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-62963 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy