7 matches found
CVE-2026-44351
fast-jwt provides fast JSON Web Token JWT implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to forge arbitrary JWTs that are accepted as authentic. When the application's key resolver returns an...
CVE-2026-44351
CVE-2026-44351 — fast-jwt auth bypass (pre-6.2.4) : The vulnerability exists in fast-jwt’s async key-resolver flow when the resolver returns an empty string or zero-length Buffer. The library may treat this as a valid secret and derive allowedAlgorithms as HS256/HS384/HS512, then verify a JWT aga...
CVE-2026-44351 fast-jwt: Empty HMAC secret accepted via async key resolver - JWT auth bypass
fast-jwt provides fast JSON Web Token JWT implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to forge arbitrary JWTs that are accepted as authentic. When the application's key resolver returns an...
NPM: fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver
NPM: fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver vulnerability discovered by ? in WordPress Npm fast-jwt versions = 6.2.3...
fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver
Summary A critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to forge arbitrary JWTs that are accepted as authentic. When the application's key resolver returns an empty string '', for example via the common keysdecoded.header.ki...
GHSA-GMVF-9V4P-V8JC fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver
Summary A critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to forge arbitrary JWTs that are accepted as authentic. When the application's key resolver returns an empty string '', for example via the common keysdecoded.header.ki...
PT-2026-38307
Name of the Vulnerable Software and Affected Versions fast-jwt versions prior to 6.2.4 Description An authentication bypass exists in the asynchronous key-resolver flow. When an application's key resolver returns an empty string '' or a zero-length Buffer, the software converts this to a...