Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Centrifugo v6.6.0 contains Go and webtransport-go vulnerabilities
GHSA-j9wf-6r2x-hqmx
Summary
Centrifugo v6.6.0 includes known security weaknesses in its programming language (Go) and a direct dependency (webtransport-go). This means that if an attacker exploits these weaknesses, they could potentially gain control of your system. To fix this, you should update to the latest version of Centrifugo, which includes the latest versions of Go and webtransport-go that address these issues.
What to do
- Update github.com centrifugal to version 6.6.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | centrifugal | <= 6.6.1 | 6.6.1 |
Original title
Centrifugo v6.6.0 dependency vulnerabilities
Original description
### Summary
Centrifugo v6.6.0 binary is compiled with **Go 1.25.5** and
statically links `github.com/quic-go/webtransport-go v0.9.0`, having **7 known
CVEs**
**Go standard library — compiled with Go 1.25.5:**
| CVE | Severity | CVSS | Fixed In |
|-----|----------|------|----------|
| CVE-2025-68121 | **CRITICAL** | 10.0 | Go 1.25.7, 1.24.13 |
| CVE-2025-61726 | HIGH | 7.5 | Go 1.25.6, 1.24.12 |
| CVE-2025-61728 | MEDIUM | 6.5 | Go 1.25.6, 1.24.12 |
| CVE-2025-61730 | MEDIUM | 5.3 | Go 1.25.6, 1.24.12 |
**Direct dependency `github.com/quic-go/webtransport-go` — pinned at v0.9.0
(`go.mod` line 34):**
| CVE | Severity | CVSS | Fixed In |
|-----|----------|------|----------|
| CVE-2026-21434 | MEDIUM | 5.3 | webtransport-go v0.10.0 |
| CVE-2026-21435 | MEDIUM | 5.3 | webtransport-go v0.10.0 |
| CVE-2026-21438 | MEDIUM | 5.3 | webtransport-go v0.10.0 |
Centrifugo v6.6.0 binary is compiled with **Go 1.25.5** and
statically links `github.com/quic-go/webtransport-go v0.9.0`, having **7 known
CVEs**
**Go standard library — compiled with Go 1.25.5:**
| CVE | Severity | CVSS | Fixed In |
|-----|----------|------|----------|
| CVE-2025-68121 | **CRITICAL** | 10.0 | Go 1.25.7, 1.24.13 |
| CVE-2025-61726 | HIGH | 7.5 | Go 1.25.6, 1.24.12 |
| CVE-2025-61728 | MEDIUM | 6.5 | Go 1.25.6, 1.24.12 |
| CVE-2025-61730 | MEDIUM | 5.3 | Go 1.25.6, 1.24.12 |
**Direct dependency `github.com/quic-go/webtransport-go` — pinned at v0.9.0
(`go.mod` line 34):**
| CVE | Severity | CVSS | Fixed In |
|-----|----------|------|----------|
| CVE-2026-21434 | MEDIUM | 5.3 | webtransport-go v0.10.0 |
| CVE-2026-21435 | MEDIUM | 5.3 | webtransport-go v0.10.0 |
| CVE-2026-21438 | MEDIUM | 5.3 | webtransport-go v0.10.0 |
Vulnerability type
CWE-1395
Published: 19 Feb 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026