CVE-2026-35042
HIGH
GHSA-hm7r-c7qw-ghp6
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2Description
## Summary `fast-jwt` does not validate the `crit` (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a `crit` array listing extensions that `fast-jwt` does not understand, the library accepts the token instead of rejecting it. This violates the **MUST** requirement in the RFC. --- ## RFC Requirement RFC 7515 §4.1.11: > If any of the listed extension Header Parameters are **not understood > and supported** by the recipient, then the **JWS is invalid**. --- ## Proof of Concept ```javascript const { createSigner, createVerifier } = require("fast-jwt"); // v3.3.3 const signer = createSigner({ key: "secret", algorithm: "HS256" }); const token = signer({ sub: "attacker", role: "admin", header: { crit: ["x-custom-policy"], "x-custom-policy": "require-mfa" }, }); // Should REJECT - x-custom-policy is not understood const verifier = createVerifier({ key: "secret", algorithms: ["HS256"] }); try { const result = verifier(token); console.log("ACCEPTED:", result); // Output: ACCEPTED: { sub: 'attacker', role: 'admin' } } catch (e) { console.log("REJECTED:", e.message); } ``` **Expected:** Error - unsupported critical extension **Actual:** Token accepted. ### Comparison ```javascript // jose (panva) v4+ - correctly rejects const jose = require("jose"); await jose.jwtVerify(token, new TextEncoder().encode("secret")); // throws: Extension Header Parameter "x-custom-policy" is not recognized ``` --- ## Impact - **Split-brain verification** in mixed-library environments - **Security policy bypass** when `crit` carries enforcement semantics - **Token binding bypass** (RFC 7800 `cnf` confirmation) - See CVE-2025-59420 for full impact analysis --- ## Suggested Fix In `src/verifier.js`, add crit validation after header decoding: ```javascript const SUPPORTED_CRIT = new Set(["b64"]); function validateCrit(header) { if (!header.crit) return; if (!Array.isArray(header.crit) || header.crit.length === 0) throw new Error("crit must be a non-empty array"); for (const ext of header.crit) { if (!SUPPORTED_CRIT.has(ext)) throw new Error(`Unsupported critical extension: ${ext}`); if (!(ext in header)) throw new Error(`Critical extension ${ext} not present in header`); } } ```
Analysis
JWT token validation bypass in fast-jwt npm library (all versions through 3.3.3) allows unauthenticated remote attackers to forge tokens with critical header parameters, achieving authentication bypass and security policy circumvention. The library violates RFC 7515 by accepting JWS tokens containing unrecognized 'crit' extensions that MUST be rejected per specification. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all applications and services using fast-jwt library via dependency scanning (npm audit, Snyk, or equivalent) and document affected systems. Within 7 days: Contact the fast-jwt development team to confirm patch timeline; implement immediate compensating control by validating JWT tokens exclusively through an external hardened JWT library (e.g., jsonwebtoken with strict RFC 7515 enforcement) in a wrapper layer until patch release. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today