Advisories for Golang/Github.com/Centrifugal/Centrifugo/V6 package

Centrifugo supports a configuration flag insecure_skip_token_signature_verify that completely disables JWT signature verification. When enabled, Centrifugo accepts any JWT token regardless of signature validity — including tokens signed with wrong keys, random signatures, or no signature at all. Critically, no warning is logged at startup or runtime when this flag is active, making it invisible to operators and security auditors. Note: This vulnerability requires the operator to have explicitly set insecure_skip_token_signature_verify=true. …

Centrifugo is vulnerable to Server-Side Request Forgery (SSRF) when configured with a dynamic JWKS endpoint URL using template variables (e.g. {{tenant}}). An unauthenticated attacker can craft a JWT with a malicious iss or aud claim value that gets interpolated into the JWKS fetch URL before the token signature is verified, causing Centrifugo to make an outbound HTTP request to an attacker-controlled destination.

Centrifugo v6.6.0 binary is compiled with Go 1.25.5 and statically links github.com/quic-go/webtransport-go v0.9.0, having 7 known CVEs Go standard library — compiled with Go 1.25.5: | CVE | Severity | CVSS | Fixed In | |—–|———-|——|———-| | CVE-2025-68121 | CRITICAL | 10.0 | Go 1.25.7, 1.24.13 | | CVE-2025-61726 | HIGH | 7.5 | Go 1.25.6, 1.24.12 | | CVE-2025-61728 | MEDIUM | 6.5 | Go 1.25.6, 1.24.12 | | …