Skip to main content

Fast Jwt

3 CVEs product

Monthly

CVE-2026-35041 npm MEDIUM PATCH GHSA This Month

Denial of service in fast-jwt 5.0.0 through 6.2.0 allows authenticated remote attackers with user interaction to cause significant CPU consumption via crafted JWT tokens that trigger catastrophic backtracking in regular expression evaluation when the allowedAud verification option is configured with a regex pattern. The vulnerability exploits attacker-controlled aud claims evaluated against user-supplied regexes, resulting in ReDoS (regular expression denial of service). Vendor-released patch available in version 6.2.1.

Denial Of Service Fast Jwt
NVD GitHub
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-35040 npm MEDIUM PATCH GHSA This Month

fast-jwt before 6.2.1 fails to properly validate JWTs when RegExp modifiers with stateful behavior (/g for global matching and /y for sticky matching) are used in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options. This causes valid authentication tokens to be rejected in an alternating 50% failure pattern due to RegExp state persistence across verification calls, degrading availability of JWT-protected services without compromising token security itself. The vulnerability is fixed in version 6.2.1.

Information Disclosure Fast Jwt
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2023-48223 npm MEDIUM POC PATCH This Month

fast-jwt provides fast JSON Web Token (JWT) implementation. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Fast Jwt
NVD GitHub
CVSS 3.1
5.9
EPSS
0.7%
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Denial of service in fast-jwt 5.0.0 through 6.2.0 allows authenticated remote attackers with user interaction to cause significant CPU consumption via crafted JWT tokens that trigger catastrophic backtracking in regular expression evaluation when the allowedAud verification option is configured with a regex pattern. The vulnerability exploits attacker-controlled aud claims evaluated against user-supplied regexes, resulting in ReDoS (regular expression denial of service). Vendor-released patch available in version 6.2.1.

Denial Of Service Fast Jwt
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

fast-jwt before 6.2.1 fails to properly validate JWTs when RegExp modifiers with stateful behavior (/g for global matching and /y for sticky matching) are used in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options. This causes valid authentication tokens to be rejected in an alternating 50% failure pattern due to RegExp state persistence across verification calls, degrading availability of JWT-protected services without compromising token security itself. The vulnerability is fixed in version 6.2.1.

Information Disclosure Fast Jwt
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM POC PATCH This Month

fast-jwt provides fast JSON Web Token (JWT) implementation. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Fast Jwt
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy