Lucene search
K

11 matches found

Veracode
Veracode
added 2026/04/17 8:17 a.m.9 views

Regular Expression Denial Of Service

fast-jwt is vulnerable to Regular Expression Denial of Service. The vulnerability is due to the library allowing regular expressions in claim validation, where a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during...

6.5CVSS5.7AI score0.00262EPSS
Exploits1References4Affected Software1
vulnersOsv
vulnersOsv
added 2026/04/09 4:41 p.m.13 views

@albirex/platformatic-logto (>=1.0.0 <=3.0.1), @aoi-js/server (>=1.2.3 <=1.2.11) +115 more potentially affected by CVE-2026-35041 via fast-jwt (>=5.0.0 <=6.0.1)

fast-jwt NPM version =5.0.0, =1.0.0, =1.2.3, =1.0.6, =1.0.11, =1.9.4, =0.16.13, =0.16.13, =2.0.5, =5.0.1, =9.0.2, =0.4.15, =0.10.0, =1.0.1-beta.3, =1.10.1-beta.0 and more Source cves: CVE-2026-35041 Source advisory: OSV:GHSA-CJW9-GHJ4-FWXF...

6.5CVSS5.7AI score0.00262EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/04/09 4:41 p.m.8 views

@albirex/platformatic-logto (>=1.0.0 <=3.0.1), @aoi-js/server (>=1.2.3 <=1.2.11) +115 more potentially affected by CVE-2026-35041 via fast-jwt (>=5.0.0 <=6.0.1)

fast-jwt NPM version =5.0.0, =1.0.0, =1.2.3, =1.0.6, =1.0.11, =1.9.4, =0.16.13, =0.16.13, =2.0.5, =5.0.1, =9.0.2, =0.4.15, =0.10.0, =1.0.1-beta.3, =1.10.1-beta.0 and more Source cves: CVE-2026-35041 Source advisory: SNYK:JS-FASTJWT-15965925...

6.5CVSS5.7AI score0.00262EPSS
Exploits1
Cvelist
Cvelist
added 2026/04/09 2:55 p.m.15 views

CVE-2026-35041 ReDoS in fast-jwt when using RegExp in allowed* leading to CPU exhaustion during token verification

fast-jwt provides fast JSON Web Token JWT implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the...

4.2CVSS0.00262EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/04/09 2:52 p.m.3 views

CVE-2026-35040

fast-jwt provides fast JSON Web Token JWT implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are statef...

5.3CVSS5.9AI score0.00383EPSS
Exploits1References5Affected Software1
CNNVD
CNNVD
added 2026/04/09 12:0 a.m.9 views

fast-jwt 安全漏洞

fast-jwt is a JSON Web Token implementation open-sourced by Nearform. Versions of fast-jwt up to 6.2.0 contained security vulnerabilities. These vulnerabilities occurred when the allowedAud verification option used regular expressions, and if the aud declaration controlled by the attacker trigger...

6.5CVSS5.7AI score0.00262EPSS
Exploits1References4
vulnersOsv
vulnersOsv
added 2026/04/02 8:37 p.m.6 views

@jsprismarine/client (>=0.12.2-unstable-20250320195345 <=0.13.1-unstable-20250503082416), @jsprismarine/prismarine (>=0.12.2-unstable-20250320195345 <=0.13.1-unstable-20250503082416) +1 more potentially affected by CVE-2023-48223 +1 more via fast-jwt (>=6.0.0 <=6.0.1)

fast-jwt NPM version =6.0.0, =0.12.2-unstable-20250320195345, =0.12.2-unstable-20250320195345, =0.12.2-unstable-20250320195345, =0.13.1-unstable-20250503082416 Source cves: CVE-2023-48223, CVE-2026-34950 Source advisory: SNYK:JS-FASTJWT-15876721...

9.1CVSS6.2AI score0.00687EPSS
Exploits2
EUVD
EUVD
added 2025/10/03 8:7 p.m.6 views

EUVD-2023-2944

Malicious code in bioql PyPI...

5.9CVSS6AI score0.00687EPSS
Exploits1References6
Veracode
Veracode
added 2025/03/24 7:6 a.m.13 views

Authentication Bypass

fast-jwt is vulnerable to Authentication Bypass. The vulnerability is due to improper validation of the iss claim, allowing an array of strings as a valid issuer, which can be exploited for JWT forgery and authentication bypass attacks...

6.5CVSS7.4AI score0.00519EPSS
Exploits0References4Affected Software1
vulnersOsv
vulnersOsv
added 2025/03/19 3:48 p.m.10 views

03-api-solid (>=1.0.0 <=1.1.2), @aitech-asia/cms (>=0.0.1 <=2.0.35) +226 more potentially affected by CVE-2025-30144 via fast-jwt (>=0.1.1 <=5.0.5)

fast-jwt NPM version =0.1.1, =1.0.0, =0.0.1, =0.0.1, =1.1.1, =0.2.0, =0.2.0, =0.1.0, =0.8.0, =0.1.1, =0.5.0, =0.7.0, =0.1.1, =0.4.0, =0.1.0, =0.1.0, =1.0.0-beta.0 and more Source cves: CVE-2025-30144 Source advisory: OSV:GHSA-GM45-Q3V2-6CF8...

6.5CVSS5.4AI score0.00519EPSS
Exploits0
CVE
CVE
added 2025/03/19 3:41 p.m.86 views

CVE-2025-30144

CVE-2025-30144 affects the fast-jwt library prior to 5.0.6, where iss validation incorrectly accepts an array of strings as a valid issuer. This permissive check can let an attacker forge a JWT containing an issuer array like [host, https://valid-iss], which may be accepted by verifiers (especial...

6.5CVSS6.2AI score0.00519EPSS
Exploits0References3
Rows per page
Query Builder