Is github.com/centrifugal/centrifugo safe to use?

github.com/centrifugal/centrifugo has 5 known vulnerabilities on the latest version (v1.8.0). DepScope rates its health at 45/100 (high risk).

What is the latest version of github.com/centrifugal/centrifugo?

The latest version of github.com/centrifugal/centrifugo is v1.8.0, released 2018-06-24.

Does github.com/centrifugal/centrifugo have known vulnerabilities?

Yes. github.com/centrifugal/centrifugo has 5 known vulnerabilities. See depscope.dev/pkg/go/github.com/centrifugal/centrifugo for details.

Is github.com/centrifugal/centrifugo deprecated?

No, github.com/centrifugal/centrifugo is actively maintained. Latest release: v1.8.0 (2018-06-24).

What are alternatives to github.com/centrifugal/centrifugo?

DepScope has no curated alternatives for github.com/centrifugal/centrifugo at this time.

What license does github.com/centrifugal/centrifugo use?

github.com/centrifugal/centrifugo is licensed under MIT.

github.com/centrifugal/centrifugo

govv1.8.0

Scalable real-time messaging server in a language-agnostic way. Self-hosted alternative to Pubnub, Pusher, Ably, socket.io, Phoenix.PubSub, SignalR. Set up once and forever.

License MITpermissive58 versions48 maintainers0 deps10,210 weekly dl

centrifugal/centrifugo

/ 100

Health

do not use

github.com/centrifugal/centrifugo has critical vulnerabilities — do not use

Update to >= 6.7.0 to fix known vulnerabilities

1 critical vulnerabilities

Health breakdown0 – 100

0/25

maintenance

10/20

popularity

15/25

security

15/15

maturity

5/15

community

Vulnerabilities

1 critical4 low

Advisories (5)

Severity	ID	Summary	Fixed in
critical	CVE-2026-32301	Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL	6.7.0
low	GO-2026-4703	Centrifugo's InsecureSkipTokenSignatureVerify flag silently disables JWT verification with no warning	6.7.0
unknown	GHSA-j9wf-6r2x-hqmx	Centrifugo v6.6.0 dependency vulnerabilities in github.com/centrifugal/centrifugo	6.6.1
unknown	CVE-2026-32301	Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL in github.com/centrifugal/centrifugo	6.7.0
unknown	GHSA-q926-c743-49qj	Centrifugo's InsecureSkipTokenSignatureVerify flag silently disables JWT verification with no warning in github.com/centrifugal/centrifugo	6.7.0

Health History

Dependency Tree

License Audit

API access

Get this data programmatically — free, no authentication.

curl https://depscope.dev/api/check/go/github.com/centrifugal/centrifugo

Last updated · 2018-06-24T16:32:38Z