CVE-2026-35041

EUVD-2026-20899 MEDIUM

2026-04-09 GitHub_M

GHSA-cjw9-ghj4-fwxf

4.2

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch Released

Apr 09, 2026 - 20:30 nvd

Patch available

Analysis Generated

Apr 09, 2026 - 15:30 vuln.today

EUVD ID Assigned

Apr 09, 2026 - 15:30 euvd

EUVD-2026-20899

CVE Published

Apr 09, 2026 - 14:55 nvd

MEDIUM 4.2

Description

fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the supplied RegExp, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification. This vulnerability is fixed in 6.2.1.

Analysis

Denial of service in fast-jwt 5.0.0 through 6.2.0 allows authenticated remote attackers with user interaction to cause significant CPU consumption via crafted JWT tokens that trigger catastrophic backtracking in regular expression evaluation when the allowedAud verification option is configured with a regex pattern. The vulnerability exploits attacker-controlled aud claims evaluated against user-supplied regexes, resulting in ReDoS (regular expression denial of service). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +21

POC: 0

CVE-2026-35041 vulnerability details – vuln.today

Back

CVE-2026-35041

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-35041

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code