3 matches found
CVE-2026-34950
fast-jwt provides fast JSON Web Token JWT implementation. In 6.1.0 and earlier, the publicKeyPemMatcher regex in fast-jwt/src/crypto.js uses a ^ anchor that is defeated by any leading whitespace in the key string, re-enabling the exact same JWT algorithm confusion attack that CVE-2023-48223 patch...
@jsprismarine/client (>=0.12.2-unstable-20250320195345 <=0.13.1-unstable-20250503082416), @jsprismarine/prismarine (>=0.12.2-unstable-20250320195345 <=0.13.1-unstable-20250503082416) +1 more potentially affected by CVE-2023-48223 +1 more via fast-jwt (>=6.0.0 <=6.0.1)
fast-jwt NPM version =6.0.0, =0.12.2-unstable-20250320195345, =0.12.2-unstable-20250320195345, =0.12.2-unstable-20250320195345, =0.13.1-unstable-20250503082416 Source cves: CVE-2023-48223, CVE-2026-34950 Source advisory: SNYK:JS-FASTJWT-15876721...
CVE-2026-34950
creationtimestamp| type| source ---|---|--- 2026-04-02 08:53:21+00:00| published-proof-of-concept| https://github.com/nearform/fast-jwt/security/advisories/GHSA-mvf2-f6gm-w987 2026-04-06 16:20:11+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mito77wzr22s 2026-04-06...