Centrifugo is an open-source scalable real-time messaging server. Prior to 6.8.4, Centrifugo unidirectional WebSocket transport with uni_websocket.compression enabled enforced uni_websocket.message_size_limit against compressed wire-frame length in internal/websocket/conn.go advanceFrame, but ReadMessage used io.ReadAll after decompression without an output cap, allowing unauthenticated requests to /connection/uni_websocket to trigger large memory and CPU consumption. This issue is fixed in version 6.8.4.
Metrics
Affected Vendors & Products
References
History
Thu, 16 Jul 2026 20:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Centrifugal
Centrifugal centrifugo |
|
| Vendors & Products |
Centrifugal
Centrifugal centrifugo |
Thu, 16 Jul 2026 19:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Centrifugo is an open-source scalable real-time messaging server. Prior to 6.8.4, Centrifugo unidirectional WebSocket transport with uni_websocket.compression enabled enforced uni_websocket.message_size_limit against compressed wire-frame length in internal/websocket/conn.go advanceFrame, but ReadMessage used io.ReadAll after decompression without an output cap, allowing unauthenticated requests to /connection/uni_websocket to trigger large memory and CPU consumption. This issue is fixed in version 6.8.4. | |
| Title | Centrifugo: Decompression bomb DoS via permessage-deflate in unidirectional WebSocket transport | |
| Weaknesses | CWE-409 | |
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-16T19:34:48.882Z
Reserved: 2026-07-14T22:32:17.732Z
Link: CVE-2026-62963
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-16T20:30:05Z