GHSA-CJW9-GHJ4-FWXF fast-jwt has a ReDoS when using RegExp in allowed* leading to CPU exhaustion during token verification

⚠️ IMPORTANT CLARIFICATIONS Affected Configurations This vulnerability ONLY affects applications that: - Use RegExp objects not strings in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options - Configure patterns susceptible to catastrophic backtracking - Example: allowedAud...

fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)

Impact Using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt...

CVE-2026-35041

The CVE affects fast-jwt versions 5.0.0 through 6.2.0 where allowedAud verification uses a RegExp. The attacker-controlled aud claim, when matched against the provided RegExp, can trigger catastrophic backtracking in the JavaScript engine, causing CPU exhaustion during token verification. This vu...

CVE-2026-35041

fast-jwt provides fast JSON Web Token JWT implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the...

CVE-2026-35040

CVE-2026-35040 affects the fast-jwt library prior to version 6.2.1. The issue involves stateful RegExp modifiers /g and /y used in allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce verify options, which can cause 50% of valid authentication attempts to fail in an alternating pattern...