GHSA-J9WF-6R2X-HQMX: Centrifugo v6.6.0: The Supply Chain Trojan Horse

Source: Dev.to

Overview

A classic supply chain compromise affecting the Centrifugo real‑time messaging server. Version v6.6.0 shipped with vulnerable third‑party Go dependencies, embedding critical flaws directly into the build artifact. This advisory highlights the risks of transitive dependencies in modern Go applications, where a single outdated package can turn a secure fortress into a house of cards.

Vulnerability Details

• Vulnerability ID: GHSA-J9WF-6R2X-HQMX
• CVSS v3.1 Score: 6.5 (Medium)
• Published: 2026‑02‑19
• Attack Vector: Network (Remote)
• Impact: Denial of Service / Potential Remote Code Execution
• Affected Component: Third‑party Go dependencies (net, protobuf)
• CWE ID: CWE‑1395

Affected Versions

• Centrifugo Server: v6.6.0 (fixed in v6.6.1)
• Go import path: github.com/centrifugal/centrifugo/v6 at v6.6.0

Remediation Steps

1. Stop the running Centrifugo instance.
2. Update to version v6.6.1 or later:
   • Download the v6.6.1 binary or pull the centrifugo/centrifugo:v6.6.1 Docker image.
   • Verify the version with centrifugo version.
3. Restart the service.

Dependency Updates

Bump the vulnerable dependencies in go.mod and rebuild:

module github.com/your/project

go 1.22

require (
    github.com/centrifugal/centrifugo/v6 v6.6.1 // upgraded
    // other dependencies...
)

Additional Hardening

• Implement automated dependency scanning in CI/CD pipelines (e.g., govulncheck, Trivy).
• Restrict network access to the Centrifugo service using a WAF or load balancer to filter malformed HTTP/2 or WebSocket frames upstream.

References

• GitHub Advisory Database – GHSA-J9WF-6R2X-HQMX
• Full report with interactive diagrams and exploit analysis (available on the advisory website).