Skip to main content

Fast Jwt CVE-2026-35040

| EUVDEUVD-2026-20898 MEDIUM
Incorrect Comparison (CWE-697)
2026-04-09 GitHub_M GHSA-3j8v-cgw4-2g6q
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch released
Apr 09, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 09, 2026 - 15:30 euvd
EUVD-2026-20898
Analysis Generated
Apr 09, 2026 - 15:30 vuln.today
CVE Published
Apr 09, 2026 - 14:52 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt regardless of the validity of the token provided. Such modifiers are /g (global matching) and /y (sticky matching). This does NOT allow invalid tokens to be accepted, only for valid tokens to be improperly rejected in some configurations. Instead it causes 50% of valid authentication requests to fail in an alternating pattern. This vulnerability is fixed in 6.2.1.

AnalysisAI

fast-jwt before 6.2.1 fails to properly validate JWTs when RegExp modifiers with stateful behavior (/g for global matching and /y for sticky matching) are used in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options. This causes valid authentication tokens to be rejected in an alternating 50% failure pattern due to RegExp state persistence across verification calls, degrading availability of JWT-protected services without compromising token security itself. The vulnerability is fixed in version 6.2.1.

Technical ContextAI

fast-jwt is a high-performance JWT library for Node.js that uses RegExp objects internally for claim validation. The root cause lies in CWE-697 (Incorrect Comparison), stemming from improper handling of stateful RegExp objects in claim verification logic. When developers configure verify() options with RegExp patterns containing the /g (global) or /y (sticky) modifiers, these modifiers maintain internal state (lastIndex property) between successive matches. During sequential token validations, the RegExp state from the previous verification attempt causes the next verification to start matching at an incorrect position or with incorrect flags, resulting in failed claim matching for valid tokens. This is specific to JavaScript/Node.js environments where RegExp objects are mutable and stateful, affecting all versions of fast-jwt prior to 6.2.1 as identified by CPE cpe:2.3:a:nearform:fast-jwt:*:*:*:*:*:*:*:*.

RemediationAI

Vendor-released patch: upgrade to fast-jwt version 6.2.1 or later. The fix is available at https://github.com/nearform/fast-jwt/releases/tag/v6.2.1. For immediate workaround prior to patching, audit verify() function configurations and remove /g and /y modifiers from any RegExp patterns used in allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options; replace stateful RegExp patterns with string matching or RegExp patterns without stateful modifiers. The upstream fix is documented in pull request https://github.com/nearform/fast-jwt/pull/593 and commit 18d25904e4617e8753526d1b3ab5a2cccdea726a.

Share

CVE-2026-35040 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy