GHSA-j9wf-6r2x-hqmx: Centrifugo v6.6.0 dependency vulnerabilities
Centrifugo v6.6.0 binary is compiled with Go 1.25.5 and
statically links github.com/quic-go/webtransport-go v0.9.0, having 7 known
CVEs
Go standard library — compiled with Go 1.25.5:
| CVE | Severity | CVSS | Fixed In |
|---|---|---|---|
| CVE-2025-68121 | CRITICAL | 10.0 | Go 1.25.7, 1.24.13 |
| CVE-2025-61726 | HIGH | 7.5 | Go 1.25.6, 1.24.12 |
| CVE-2025-61728 | MEDIUM | 6.5 | Go 1.25.6, 1.24.12 |
| CVE-2025-61730 | MEDIUM | 5.3 | Go 1.25.6, 1.24.12 |
Direct dependency github.com/quic-go/webtransport-go — pinned at v0.9.0
(go.mod line 34):
| CVE | Severity | CVSS | Fixed In |
|---|---|---|---|
| CVE-2026-21434 | MEDIUM | 5.3 | webtransport-go v0.10.0 |
| CVE-2026-21435 | MEDIUM | 5.3 | webtransport-go v0.10.0 |
| CVE-2026-21438 | MEDIUM | 5.3 | webtransport-go v0.10.0 |
References
Code Behaviors & Features
Detect and mitigate GHSA-j9wf-6r2x-hqmx with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →