GHSA-Q926-C743-49QJ

Vulnerability from github – Published: 2026-03-13 20:44 – Updated: 2026-03-27 21:17
VLAI
Summary
Centrifugo's InsecureSkipTokenSignatureVerify flag silently disables JWT verification with no warning
Details

Summary

Centrifugo supports a configuration flag insecure_skip_token_signature_verify that completely disables JWT signature verification. When enabled, Centrifugo accepts any JWT token regardless of signature validity — including tokens signed with wrong keys, random signatures, or no signature at all. Critically, no warning is logged at startup or runtime when this flag is active, making it invisible to operators and security auditors.

Note: This vulnerability requires the operator to have explicitly set insecure_skip_token_signature_verify=true. The core issue is the absence of any warning when this flag is active, making accidental production exposure undetectable.

Details

The flag is defined in internal/configtypes/types.go:

InsecureSkipTokenSignatureVerify bool `mapstructure:"insecure_skip_token_signature_verify"`

It is passed directly to token verification in internal/client/handler.go:

token, err := h.tokenVerifier.VerifyConnectToken(e.Token, 
    cfg.Client.InsecureSkipTokenSignatureVerify)

In token_verifier_jwt.go, when skipVerify=true the entire signature block is bypassed:

if !skipVerify {
    // This block never executes
    err = verifier.verifySignature(token)
}

The flag is configurable via multiple vectors making accidental exposure likely: - Config file: insecure_skip_token_signature_verify: true - Environment variable: CENTRIFUGO_INSECURE_SKIP_TOKEN_SIGNATURE_VERIFY=true - YAML, TOML config formats

Despite hmac_secret_key being configured, startup logs show "enabled JWT verifiers" — falsely implying verification is active.

PoC

Config with legitimate HMAC key but skip flag enabled:

{
  "client": {
    "insecure_skip_token_signature_verify": true,
    "token": { "hmac_secret_key": "legitimate-production-secret-key" }
  }
}

Token signed with completely wrong key is fully accepted:

VULNERABILITY CONFIRMED!
Connected as user: {'client': '899dec73...', 'version': '0.0.0 OSS'}

No security warning emitted when insecure_skip_token_signature_verify=true: 1

Token signed with wrong key accepted, authentication bypass confirmed: 2

skipVerify flag propagated from config to all token verification calls: 3

Impact

  • Any unauthenticated user can connect as any arbitrary user ID
  • Complete authentication bypass — attacker sets any sub claim value
  • No indicators in logs that the server is operating insecurely
  • Easily triggered accidentally via environment variable injection in containerized deployments (e.g. misconfigured Kubernetes secrets)
  • Affects all connection types: WebSocket, HTTP-streaming, SSE, GRPC

Suggested Fix

  1. Emit a loud startup warning when flag is enabled:
if cfg.Client.InsecureSkipTokenSignatureVerify {
    log.Warn().Msg("SECURITY WARNING: JWT signature verification is " +
        "DISABLED via insecure_skip_token_signature_verify - " + 
        "DO NOT use in production!")
}
  1. Consider requiring an additional explicit insecure_mode: true flag to prevent accidental single-flag misconfiguration
  2. Log a warning on every accepted token when skip is active
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.6.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/centrifugal/centrifugo/v6"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/centrifugal/centrifugo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/centrifugal/centrifugo/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/centrifugal/centrifugo/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "4.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/centrifugal/centrifugo/v5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "5.4.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-13T20:44:37Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Summary\nCentrifugo supports a configuration flag `insecure_skip_token_signature_verify` that completely disables JWT signature verification. When enabled, Centrifugo accepts any JWT token regardless of signature validity \u2014 including tokens signed with wrong keys, random signatures, or no signature at all. Critically, no warning is logged at startup or runtime when this flag is active, making it invisible to operators and security auditors.\n\nNote: This vulnerability requires the operator to have explicitly set insecure_skip_token_signature_verify=true. The core issue is the absence of any warning when this flag is active, making accidental production exposure undetectable.\n\n### Details\nThe flag is defined in `internal/configtypes/types.go`:\n```\nInsecureSkipTokenSignatureVerify bool `mapstructure:\"insecure_skip_token_signature_verify\"`\n```\n\nIt is passed directly to token verification in `internal/client/handler.go`:\n```\ntoken, err := h.tokenVerifier.VerifyConnectToken(e.Token, \n    cfg.Client.InsecureSkipTokenSignatureVerify)\n```\n\nIn `token_verifier_jwt.go`, when `skipVerify=true` the entire signature block is bypassed:\n```go\nif !skipVerify {\n    // This block never executes\n    err = verifier.verifySignature(token)\n}\n```\nThe flag is configurable via multiple vectors making accidental exposure likely:\n- Config file: `insecure_skip_token_signature_verify: true`\n- Environment variable: `CENTRIFUGO_INSECURE_SKIP_TOKEN_SIGNATURE_VERIFY=true`\n- YAML, TOML config formats\n\nDespite `hmac_secret_key` being configured, startup logs show `\"enabled JWT verifiers\"` \u2014 falsely implying verification is active.\n\n### PoC\nConfig with legitimate HMAC key but skip flag enabled:\n```json\n{\n  \"client\": {\n    \"insecure_skip_token_signature_verify\": true,\n    \"token\": { \"hmac_secret_key\": \"legitimate-production-secret-key\" }\n  }\n}\n```\n\nToken signed with completely wrong key is fully accepted:\n```\nVULNERABILITY CONFIRMED!\nConnected as user: {\u0027client\u0027: \u0027899dec73...\u0027, \u0027version\u0027: \u00270.0.0 OSS\u0027}\n```\n\nNo security warning emitted when insecure_skip_token_signature_verify=true:\n![1](https://github.com/user-attachments/assets/606acae0-e6f7-467f-b512-b5350ec6cf38)\n\nToken signed with wrong key accepted, authentication bypass confirmed:\n![2](https://github.com/user-attachments/assets/a400c0bf-b78c-40cf-8c73-07fdabb0c672)\n\nskipVerify flag propagated from config to all token verification calls:\n![3](https://github.com/user-attachments/assets/4141eb05-0371-46e1-acb7-8a9091c45693)\n\n### Impact\n- Any unauthenticated user can connect as any arbitrary user ID\n- Complete authentication bypass \u2014 attacker sets any `sub` claim value\n- No indicators in logs that the server is operating insecurely\n- Easily triggered accidentally via environment variable injection\n  in containerized deployments (e.g. misconfigured Kubernetes secrets)\n- Affects all connection types: WebSocket, HTTP-streaming, SSE, GRPC\n \n### Suggested Fix\n1. Emit a loud startup warning when flag is enabled:\n```go\nif cfg.Client.InsecureSkipTokenSignatureVerify {\n    log.Warn().Msg(\"SECURITY WARNING: JWT signature verification is \" +\n        \"DISABLED via insecure_skip_token_signature_verify - \" + \n        \"DO NOT use in production!\")\n}\n```\n2. Consider requiring an additional explicit `insecure_mode: true` flag to prevent accidental single-flag misconfiguration\n3. Log a warning on every accepted token when skip is active",
  "id": "GHSA-q926-c743-49qj",
  "modified": "2026-03-27T21:17:00Z",
  "published": "2026-03-13T20:44:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/centrifugal/centrifugo/security/advisories/GHSA-q926-c743-49qj"
    },
    {
      "type": "WEB",
      "url": "https://github.com/centrifugal/centrifugo/commit/dab80fe3adfe0bbeca3bb3ea45e6d95df9f601a8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/centrifugal/centrifugo"
    },
    {
      "type": "WEB",
      "url": "https://github.com/centrifugal/centrifugo/releases/tag/v6.7.0"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2026-4703"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Centrifugo\u0027s InsecureSkipTokenSignatureVerify flag silently disables JWT verification with no warning"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…