Github.Com Centrifugal Centrifugo V6 vulnerabilities
3 known vulnerabilities affecting github.com/centrifugal_centrifugo_v6.
Total CVEs
3
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH2
Vulnerabilities
Page 1 of 1
CVE-2025-68121P3HIGHCVSS 7.5≥ 0, < 6.6.12026-02-19
CVE-2025-68121 [HIGH] CWE-1395 Centrifugo v6.6.0 dependency vulnerabilities
Centrifugo v6.6.0 dependency vulnerabilities
### Summary
Centrifugo v6.6.0 binary is compiled with **Go 1.25.5** and
statically links `github.com/quic-go/webtransport-go v0.9.0`, having **7 known
CVEs**
**Go standard library — compiled with Go 1.25.5:**
| CVE | Severity | CVSS | Fixed In |
|-----|----------|------|----------|
| CVE-2025-68121 | **CRITICAL** | 10.0 | Go 1.25.7, 1.24.13 |
| CVE-2025-61726 | HIGH | 7.5
ghsaosv
CVE-2026-32301P3CRITICAL≥ 0, < 6.7.02026-03-13
CVE-2026-32301 [CRITICAL] CWE-918 Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL
Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL
### Summary
Centrifugo is vulnerable to Server-Side Request Forgery (SSRF) when configured with a dynamic JWKS endpoint URL using template variables (e.g. `{{tenant}}`). An unauthenticated attacker can craft a JWT with a malicious `iss` or `aud` claim value that gets interpolated into the J
ghsaosv
CVE-2026-49998HIGH≥ 0, < 6.8.12026-07-01
CVE-2026-49998 [HIGH] CWE-347 Centrifugo's dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentication bypass
Centrifugo's dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentication bypass
#### Summary
Centrifugo's dynamic JWKS endpoint feature can verify a JWT for one allowed issuer using a public key cached from another allowed issuer. The JWKS cache and `singleflight` lookup are keyed only by the JWT header `kid`, not by the resolved JWKS endpoin
ghsa