Severity by source
AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 4 npm packages depend on fast-jwt (2 direct, 2 indirect)
Ecosystem-wide dependent count for version 5.0.0.
DescriptionGitHub Advisory
fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the supplied RegExp, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification. This vulnerability is fixed in 6.2.1.
AnalysisAI
Denial of service in fast-jwt 5.0.0 through 6.2.0 allows authenticated remote attackers with user interaction to cause significant CPU consumption via crafted JWT tokens that trigger catastrophic backtracking in regular expression evaluation when the allowedAud verification option is configured with a regex pattern. The vulnerability exploits attacker-controlled aud claims evaluated against user-supplied regexes, resulting in ReDoS (regular expression denial of service). Vendor-released patch available in version 6.2.1.
Technical ContextAI
fast-jwt is a JavaScript library providing JWT signing and verification functionality. The vulnerability exists in the allowedAud verification logic, which permits configuration of audience claim validation using regular expressions. When JWT verification occurs, the attacker-controlled aud claim value is evaluated against the configured regex pattern using the JavaScript regex engine. Crafted aud claim payloads can construct inputs that cause catastrophic backtracking (ReDoS) in the regex engine, triggering exponential time complexity during pattern matching. CWE-1333 (Inefficient Regular Expression Complexity) classifies this root cause. The affected versions span the 5.0.0 through 6.2.0 release range of the nearform/fast-jwt package (cpe:2.3:a:nearform:fast-jwt:*:*:*:*:*:*:*:*).
RemediationAI
Vendor-released patch: fast-jwt version 6.2.1 or later. Upgrade the fast-jwt package to version 6.2.1 immediately. The fix is documented in GitHub commit b0be0ca161593836a153d5180ca5358ad9b5de94 and release https://github.com/nearform/fast-jwt/releases/tag/v6.2.1. For applications unable to upgrade immediately, audit JWT verification configurations to identify use of allowedAud with regular expressions; consider replacing regex-based audience validation with explicit string matching or whitelist-based approaches. Review access controls to ensure high-privilege token generation is restricted.
fast-jwt provides fast JSON Web Token (JWT) implementation. Rated medium severity (CVSS 5.9), this vulnerability is remo
fast-jwt before 6.2.1 fails to properly validate JWTs when RegExp modifiers with stateful behavior (/g for global matchi
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20899
GHSA-cjw9-ghj4-fwxf