CVE-2026-34950 fast-jwt has an incomplete fix for CVE-2023-48223: JWT Algorithm Confusion via Whitespace-Prefixed RSA Public Key

fast-jwt provides fast JSON Web Token JWT implementation. In 6.1.0 and earlier, the publicKeyPemMatcher regex in fast-jwt/src/crypto.js uses a ^ anchor that is defeated by any leading whitespace in the key string, re-enabling the exact same JWT algorithm confusion attack that CVE-2023-48223 patch...

CVE-2026-34950

CVE-2026-34950 affects the fast-jwt library (6.1.0 and earlier). The publicKeyPemMatcher in fast-jwt/src/crypto.js uses an anchored regex starting with ^, which is defeated by any leading whitespace in the key string. This misclassifies RSA public keys with leading whitespace, allowing an attacke...

GHSA-MVF2-F6GM-W987 fast-jwt: Incomplete fix for CVE-2023-48223: JWT Algorithm Confusion via Whitespace-Prefixed RSA Public Key

Summary The fix for GHSA-c2ff-88x2-x9pg CVE-2023-48223 is incomplete. The publicKeyPemMatcher regex in fast-jwt/src/crypto.js uses a ^ anchor that is defeated by any leading whitespace in the key string, re-enabling the exact same JWT algorithm confusion attack that the CVE patched. Details The f...

@jsprismarine/client (>=0.12.2-unstable-20250320195345 <=0.13.1-unstable-20250503082416), @jsprismarine/prismarine (>=0.12.2-unstable-20250320195345 <=0.13.1-unstable-20250503082416) +1 more potentially affected by CVE-2023-48223 +1 more via fast-jwt (>=6.0.0 <=6.0.1)

fast-jwt NPM version =6.0.0, =0.12.2-unstable-20250320195345, =0.12.2-unstable-20250320195345, =0.12.2-unstable-20250320195345, =0.13.1-unstable-20250503082416 Source cves: CVE-2023-48223, CVE-2026-34950 Source advisory: SNYK:JS-FASTJWT-15876721...

@aitech-asia/cms (>=0.0.1 <=0.1.73), @aitech-asia/mongoose (>=0.0.1 <=0.0.36) +121 more potentially affected by CVE-2023-48223 via fast-jwt (>=0.1.1 <=3.0.0)

fast-jwt NPM version =0.1.1, =0.0.1, =0.0.1, =0.2.0, =0.2.0, =0.8.0, =0.1.1, =0.5.0, =0.7.0, =0.1.1, =0.4.0, =0.1.0, =0.1.0, =0.1.1, =0.7.1, =0.3.0, =1.0.0-beta.0 and more Source cves: CVE-2023-48223 Source advisory: OSV:GHSA-C2FF-88X2-X9PG...

CVE-2023-48223

fast-jwt prior to v3.3.2 contains a publicKeyPemMatcher bug that fails to cover all PEM formats for public keys, enabling an algorithm-confusion attack (HS256 signed with an RSA public key) when RS256 is used and the verifier does not explicitly specify an algorithm. A patch in v3.3.2 fixes this ...

CVE-2023-48223

creationtimestamp| type| source ---|---|--- 2023-11-20 14:51:04+00:00| published-proof-of-concept| https://github.com/nearform/fast-jwt/security/advisories/GHSA-c2ff-88x2-x9pg 2026-04-06 17:32:59+00:00| seen| Telegram/Nu9QDXzNbve1iNgaEifpWzTHqsZ9MAX7l9lhuN92ZYucbK4...