Unauthenticated attackers can exploit an SSRF vulnerability in Centrifugo to scan internal networks or access sensitive metadata services by manipulating JWT claims.

This is an unauthenticated SSRF vulnerability triggered during the JWT verification process. When Centrifugo is configured to use dynamic JWKS URLs, an attacker can craft a JWT with malicious iss or aud claims that are interpolated into the fetch URL, forcing the server to make requests to attacker-controlled internal or external destinations.

With a CVSS score of 9.3, this vulnerability poses a significant risk to internal infrastructure. Attackers can use the Centrifugo server as a proxy to bypass firewalls, conduct internal port scanning, or interact with sensitive internal services like cloud metadata APIs. This can lead to further credential theft and lateral movement within the network.

Immediate Action: Update Centrifugo to version 6.7.0 or later, which implements proper validation for interpolated JWKS URL variables.

Proactive Monitoring: Review outbound network logs from Centrifugo instances for requests to unexpected IP addresses or internal service endpoints.

Compensating Controls: Implement strict egress filtering on the Centrifugo host to prevent it from initiating connections to internal network segments or unauthorized external domains.

Public Exploit Available: false

Centrifugo administrators should prioritize the update to version 6.7.0. If dynamic JWKS endpoints are utilized, the risk is immediate and severe. Ensure that the Centrifugo service is running with the least privilege necessary and that network-level protections are in place to limit the scope of potential SSRF attacks.