3 matches found
CVE-2026-35042 fast-jwt accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)
fast-jwt provides fast JSON Web Token JWT implementation. In 6.1.0 and earlier, fast-jwt does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that fast-jwt does not understand, the library accepts the token...
@jsprismarine/client (>=0.12.2-unstable-20250320195345 <=0.13.1-unstable-20250503082416), @jsprismarine/prismarine (>=0.12.2-unstable-20250320195345 <=0.13.1-unstable-20250503082416) +1 more potentially affected by CVE-2026-35042 via fast-jwt (>=6.0.0 <=6.0.1)
fast-jwt NPM version =6.0.0, =0.12.2-unstable-20250320195345, =0.12.2-unstable-20250320195345, =0.12.2-unstable-20250320195345, =0.13.1-unstable-20250503082416 Source cves: CVE-2026-35042 Source advisory: SNYK:JS-FASTJWT-15907854...
CVE-2026-35042
creationtimestamp| type| source ---|---|--- 2026-04-02 08:54:15+00:00| published-proof-of-concept| https://github.com/nearform/fast-jwt/security/advisories/GHSA-hm7r-c7qw-ghp6 2026-04-06 17:19:10+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mitripteju2x 2026-04-06...