Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt regardless of the validity of the token provided. Such modifiers are /g (global matching) and /y (sticky matching). This does NOT allow invalid tokens to be accepted, only for valid tokens to be improperly rejected in some configurations. Instead it causes 50% of valid authentication requests to fail in an alternating pattern. This vulnerability is fixed in 6.2.1.
AnalysisAI
fast-jwt before 6.2.1 fails to properly validate JWTs when RegExp modifiers with stateful behavior (/g for global matching and /y for sticky matching) are used in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options. This causes valid authentication tokens to be rejected in an alternating 50% failure pattern due to RegExp state persistence across verification calls, degrading availability of JWT-protected services without compromising token security itself. The vulnerability is fixed in version 6.2.1.
Technical ContextAI
fast-jwt is a high-performance JWT library for Node.js that uses RegExp objects internally for claim validation. The root cause lies in CWE-697 (Incorrect Comparison), stemming from improper handling of stateful RegExp objects in claim verification logic. When developers configure verify() options with RegExp patterns containing the /g (global) or /y (sticky) modifiers, these modifiers maintain internal state (lastIndex property) between successive matches. During sequential token validations, the RegExp state from the previous verification attempt causes the next verification to start matching at an incorrect position or with incorrect flags, resulting in failed claim matching for valid tokens. This is specific to JavaScript/Node.js environments where RegExp objects are mutable and stateful, affecting all versions of fast-jwt prior to 6.2.1 as identified by CPE cpe:2.3:a:nearform:fast-jwt:*:*:*:*:*:*:*:*.
RemediationAI
Vendor-released patch: upgrade to fast-jwt version 6.2.1 or later. The fix is available at https://github.com/nearform/fast-jwt/releases/tag/v6.2.1. For immediate workaround prior to patching, audit verify() function configurations and remove /g and /y modifiers from any RegExp patterns used in allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options; replace stateful RegExp patterns with string matching or RegExp patterns without stateful modifiers. The upstream fix is documented in pull request https://github.com/nearform/fast-jwt/pull/593 and commit 18d25904e4617e8753526d1b3ab5a2cccdea726a.
fast-jwt provides fast JSON Web Token (JWT) implementation. Rated medium severity (CVSS 5.9), this vulnerability is remo
Denial of service in fast-jwt 5.0.0 through 6.2.0 allows authenticated remote attackers with user interaction to cause s
Same weakness CWE-697 – Incorrect Comparison
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20898
GHSA-3j8v-cgw4-2g6q