Skip to main content

Fast Jwt CVE-2026-35041

| EUVDEUVD-2026-20899 MEDIUM
Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)
2026-04-09 GitHub_M GHSA-cjw9-ghj4-fwxf
4.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.2 MEDIUM
AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Apr 09, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 09, 2026 - 15:30 euvd
EUVD-2026-20899
Analysis Generated
Apr 09, 2026 - 15:30 vuln.today
CVE Published
Apr 09, 2026 - 14:55 nvd
MEDIUM 4.2

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 npm packages depend on fast-jwt (2 direct, 2 indirect)

Ecosystem-wide dependent count for version 5.0.0.

DescriptionGitHub Advisory

fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the supplied RegExp, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification. This vulnerability is fixed in 6.2.1.

AnalysisAI

Denial of service in fast-jwt 5.0.0 through 6.2.0 allows authenticated remote attackers with user interaction to cause significant CPU consumption via crafted JWT tokens that trigger catastrophic backtracking in regular expression evaluation when the allowedAud verification option is configured with a regex pattern. The vulnerability exploits attacker-controlled aud claims evaluated against user-supplied regexes, resulting in ReDoS (regular expression denial of service). Vendor-released patch available in version 6.2.1.

Technical ContextAI

fast-jwt is a JavaScript library providing JWT signing and verification functionality. The vulnerability exists in the allowedAud verification logic, which permits configuration of audience claim validation using regular expressions. When JWT verification occurs, the attacker-controlled aud claim value is evaluated against the configured regex pattern using the JavaScript regex engine. Crafted aud claim payloads can construct inputs that cause catastrophic backtracking (ReDoS) in the regex engine, triggering exponential time complexity during pattern matching. CWE-1333 (Inefficient Regular Expression Complexity) classifies this root cause. The affected versions span the 5.0.0 through 6.2.0 release range of the nearform/fast-jwt package (cpe:2.3:a:nearform:fast-jwt:*:*:*:*:*:*:*:*).

RemediationAI

Vendor-released patch: fast-jwt version 6.2.1 or later. Upgrade the fast-jwt package to version 6.2.1 immediately. The fix is documented in GitHub commit b0be0ca161593836a153d5180ca5358ad9b5de94 and release https://github.com/nearform/fast-jwt/releases/tag/v6.2.1. For applications unable to upgrade immediately, audit JWT verification configurations to identify use of allowedAud with regular expressions; consider replacing regex-based audience validation with explicit string matching or whitelist-based approaches. Review access controls to ensure high-privilege token generation is restricted.

Share

CVE-2026-35041 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy