GHSA-J9WF-6R2X-HQMX: Centrifugo v6.6.0: The Supply Chain Trojan Horse

Centrifugo v6.6.0: The Supply Chain Trojan Horse Vulnerability ID: GHSA-J9WF-6R2X-HQMX CVSS Score: 6.5 Published: 2026-02-19 A classic supply chain compromise affecting the Centrifugo real-time messaging server. Version v6.6.0 shipped with vulnerable third-party Go dependencies, effectively embedding critical flaws directly into the build artifact. This advisory highlights the risks of transitive dependencies in modern Go applications, where a single outdated package can turn a secure fortress into a house of cards. TL;DR Centrifugo v6.6.0 included vulnerable Go dependencies (likely networking or serialization libraries) in its release build. Attackers can exploit these underlying libraries to cause Denial of Service (DoS) or potentially execute code, despite the core Centrifugo code being secure. Fixed in v6.6.1 via dependency updates. ⚠️ Exploit Status: POC Technical Details Attack Vector : Network (Remote) CVSS v3.1 : 6.5 (Medium) Impact : Denial of Service / Potential RCE Affected

GHSA-J9WF-6R2X-HQMX: Centrifugo v6.6.0: The Supply Chain Trojan Horse

Related Articles

5 Campfire Songs Anyone Can Play on Guitar (Free Chord Charts)

Bybit vs HTX — Which Crypto Exchange Is Better? (2026)

Stop Posting Noise: Building in Public Needs Real Value

We got an audience with the "Lunar Viceroy" to talk how NASA will build a Moon base

Greatings

Related Articles

How-To
5 Campfire Songs Anyone Can Play on Guitar (Free Chord Charts)
Dev.to Beginners • 5d ago

How-To
Bybit vs HTX — Which Crypto Exchange Is Better? (2026)
Dev.to Beginners • 5d ago

How-To
Stop Posting Noise: Building in Public Needs Real Value
Dev.to Beginners • 5d ago

How-To
We got an audience with the "Lunar Viceroy" to talk how NASA will build a Moon base
Ars Technica • 5d ago

How-To
Greatings
Dev.to Tutorial • 5d ago