CVE-2026-35041

fast-jwt provides fast JSON Web Token JWT implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the...

CVE-2026-44351

fast-jwt provides fast JSON Web Token JWT implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to forge arbitrary JWTs that are accepted as authentic. When the application's key resolver returns an...

CVE-2026-44351

fast-jwt provides fast JSON Web Token JWT implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to forge arbitrary JWTs that are accepted as authentic. When the application's key resolver returns an...

CVE-2026-44351

fast-jwt provides fast JSON Web Token JWT implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to forge arbitrary JWTs that are accepted as authentic. When the application's key resolver returns an...

CVE-2026-44351

CVE-2026-44351 — fast-jwt auth bypass (pre-6.2.4) : The vulnerability exists in fast-jwt’s async key-resolver flow when the resolver returns an empty string or zero-length Buffer. The library may treat this as a valid secret and derive allowedAlgorithms as HS256/HS384/HS512, then verify a JWT aga...

CVE-2026-44351 fast-jwt: Empty HMAC secret accepted via async key resolver - JWT auth bypass

fast-jwt provides fast JSON Web Token JWT implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to forge arbitrary JWTs that are accepted as authentic. When the application's key resolver returns an...

fast-jwt 授权问题漏洞

fast-jwt is a JSON Web Token implementation open-sourced by Nearform. Versions of fast-jwt prior to 6.2.4 contained an authorization vulnerability. This vulnerability stemmed from a critical authentication bypass in the asynchronous key resolution process, allowing unauthenticated attackers to...

NPM: fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver

NPM: fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver vulnerability discovered by ? in WordPress Npm fast-jwt versions = 6.2.3...

GHSA-GMVF-9V4P-V8JC fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver

Summary A critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to forge arbitrary JWTs that are accepted as authentic. When the application's key resolver returns an empty string '', for example via the common keysdecoded.header.ki...

@jsprismarine/client (>=0.1.0-rc.50 <=0.13.1-unstable-20250503082416), @jsprismarine/prismarine (>=0.12.2-unstable-20250320195345 <=0.13.1-unstable-20250503082416) +2 more potentially affected by CVE-2026-44351 via fast-jwt (>=6.0.0 <=6.0.1)

fast-jwt NPM version =6.0.0, =0.1.0-rc.50, =0.12.2-unstable-20250320195345, =0.1.0-rc.50, =0.1.0-rc.50, =0.1.0-rc.52 Source cves: CVE-2026-44351 Source advisory: SNYK:JS-FASTJWT-16439016...

CVE-2026-44351

creationtimestamp| type| source ---|---|--- 2026-04-29 11:07:21+00:00| published-proof-of-concept| https://github.com/nearform/fast-jwt/security/advisories/GHSA-gmvf-9v4p-v8jc...

Regular Expression Denial Of Service

fast-jwt is vulnerable to Regular Expression Denial of Service. The vulnerability is due to the library allowing regular expressions in claim validation, where a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during...

CVE-2026-35040

fast-jwt provides fast JSON Web Token JWT implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are statef...

@albirex/platformatic-logto (>=1.0.0 <=3.0.1), @aoi-js/server (>=1.2.3 <=1.2.11) +115 more potentially affected by CVE-2026-35041 via fast-jwt (>=5.0.0 <=6.0.1)

fast-jwt NPM version =5.0.0, =1.0.0, =1.2.3, =1.0.6, =1.0.11, =1.9.4, =0.16.13, =0.16.13, =2.0.5, =5.0.1, =9.0.2, =0.4.15, =0.10.0, =1.0.1-beta.3, =1.9.0 and more Source cves: CVE-2026-35041 Source advisory: SNYK:JS-FASTJWT-15965925...

@albirex/platformatic-logto (>=1.0.0 <=3.0.1), @aoi-js/server (>=1.2.3 <=1.2.11) +115 more potentially affected by CVE-2026-35041 via fast-jwt (>=5.0.0 <=6.0.1)

fast-jwt NPM version =5.0.0, =1.0.0, =1.2.3, =1.0.6, =1.0.11, =1.9.4, =0.16.13, =0.16.13, =2.0.5, =5.0.1, =9.0.2, =0.4.15, =0.10.0, =1.0.1-beta.3, =1.9.0 and more Source cves: CVE-2026-35041 Source advisory: OSV:GHSA-CJW9-GHJ4-FWXF...

EUVD-2026-20899

fast-jwt has a ReDoS when using RegExp in allowed leading to CPU exhaustion during token verification...

fast-jwt has a ReDoS when using RegExp in allowed* leading to CPU exhaustion during token verification

⚠️ IMPORTANT CLARIFICATIONS Affected Configurations This vulnerability ONLY affects applications that: - Use RegExp objects not strings in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options - Configure patterns susceptible to catastrophic backtracking - Example: allowedAud...

GHSA-CJW9-GHJ4-FWXF fast-jwt has a ReDoS when using RegExp in allowed* leading to CPU exhaustion during token verification

⚠️ IMPORTANT CLARIFICATIONS Affected Configurations This vulnerability ONLY affects applications that: - Use RegExp objects not strings in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options - Configure patterns susceptible to catastrophic backtracking - Example: allowedAud...

@jsprismarine/client (>=0.1.0-rc.50 <=0.13.1-unstable-20250503082416), @jsprismarine/prismarine (>=0.12.2-unstable-20250320195345 <=0.13.1-unstable-20250503082416) +2 more potentially affected by CVE-2026-35040 via fast-jwt (>=6.0.0 <=6.0.1)

fast-jwt NPM version =6.0.0, =0.1.0-rc.50, =0.12.2-unstable-20250320195345, =0.1.0-rc.50, =0.1.0-rc.50, =0.1.0-rc.52 Source cves: CVE-2026-35040 Source advisory: SNYK:JS-FASTJWT-15965926...

GHSA-3J8V-CGW4-2G6Q fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)

Impact Using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt...