Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

3 matches found

OSV
OSVadded 2026/04/09 4:41 p.m.2 views

GHSA-CJW9-GHJ4-FWXF fast-jwt has a ReDoS when using RegExp in allowed* leading to CPU exhaustion during token verification

⚠️ IMPORTANT CLARIFICATIONS Affected Configurations This vulnerability ONLY affects applications that: - Use RegExp objects not strings in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options - Configure patterns susceptible to catastrophic backtracking - Example: allowedAud...

4.2CVSS5.9AI score0.00048EPSS
Exploits1References6
Github Security Blog
Github Security Blogadded 2026/04/09 4:41 p.m.7 views

fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)

Impact Using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt...

5.3CVSS5.9AI score0.00182EPSS
Exploits1References6Affected Software1
CVE
CVEadded 2026/04/09 2:52 p.m.3 views

CVE-2026-35040

CVE-2026-35040 affects the fast-jwt library prior to version 6.2.1. The issue involves stateful RegExp modifiers /g and /y used in allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce verify options, which can cause 50% of valid authentication attempts to fail in an alternating pattern...

5.3CVSS5.9AI score0.00182EPSS
Exploits1References4Affected Software1
Rows per page
Query Builder