11 matches found
Regular Expression Denial Of Service
fast-jwt is vulnerable to Regular Expression Denial of Service. The vulnerability is due to the library allowing regular expressions in claim validation, where a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during...
@albirex/platformatic-logto (>=1.0.0 <=3.0.1), @aoi-js/server (>=1.2.3 <=1.2.11) +115 more potentially affected by CVE-2026-35041 via fast-jwt (>=5.0.0 <=6.0.1)
fast-jwt NPM version =5.0.0, =1.0.0, =1.2.3, =1.0.6, =1.0.11, =1.9.4, =0.16.13, =0.16.13, =2.0.5, =5.0.1, =9.0.2, =0.4.15, =0.10.0, =1.0.1-beta.3, =1.10.1-beta.0 and more Source cves: CVE-2026-35041 Source advisory: OSV:GHSA-CJW9-GHJ4-FWXF...
@albirex/platformatic-logto (>=1.0.0 <=3.0.1), @aoi-js/server (>=1.2.3 <=1.2.11) +115 more potentially affected by CVE-2026-35041 via fast-jwt (>=5.0.0 <=6.0.1)
fast-jwt NPM version =5.0.0, =1.0.0, =1.2.3, =1.0.6, =1.0.11, =1.9.4, =0.16.13, =0.16.13, =2.0.5, =5.0.1, =9.0.2, =0.4.15, =0.10.0, =1.0.1-beta.3, =1.10.1-beta.0 and more Source cves: CVE-2026-35041 Source advisory: SNYK:JS-FASTJWT-15965925...
CVE-2026-35041 ReDoS in fast-jwt when using RegExp in allowed* leading to CPU exhaustion during token verification
fast-jwt provides fast JSON Web Token JWT implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the...
CVE-2026-35040
fast-jwt provides fast JSON Web Token JWT implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are statef...
fast-jwt 安全漏洞
fast-jwt is a JSON Web Token implementation open-sourced by Nearform. Versions of fast-jwt up to 6.2.0 contained security vulnerabilities. These vulnerabilities occurred when the allowedAud verification option used regular expressions, and if the aud declaration controlled by the attacker trigger...
@jsprismarine/client (>=0.12.2-unstable-20250320195345 <=0.13.1-unstable-20250503082416), @jsprismarine/prismarine (>=0.12.2-unstable-20250320195345 <=0.13.1-unstable-20250503082416) +1 more potentially affected by CVE-2023-48223 +1 more via fast-jwt (>=6.0.0 <=6.0.1)
fast-jwt NPM version =6.0.0, =0.12.2-unstable-20250320195345, =0.12.2-unstable-20250320195345, =0.12.2-unstable-20250320195345, =0.13.1-unstable-20250503082416 Source cves: CVE-2023-48223, CVE-2026-34950 Source advisory: SNYK:JS-FASTJWT-15876721...
EUVD-2023-2944
Malicious code in bioql PyPI...
Authentication Bypass
fast-jwt is vulnerable to Authentication Bypass. The vulnerability is due to improper validation of the iss claim, allowing an array of strings as a valid issuer, which can be exploited for JWT forgery and authentication bypass attacks...
03-api-solid (>=1.0.0 <=1.1.2), @aitech-asia/cms (>=0.0.1 <=2.0.35) +226 more potentially affected by CVE-2025-30144 via fast-jwt (>=0.1.1 <=5.0.5)
fast-jwt NPM version =0.1.1, =1.0.0, =0.0.1, =0.0.1, =1.1.1, =0.2.0, =0.2.0, =0.1.0, =0.8.0, =0.1.1, =0.5.0, =0.7.0, =0.1.1, =0.4.0, =0.1.0, =0.1.0, =1.0.0-beta.0 and more Source cves: CVE-2025-30144 Source advisory: OSV:GHSA-GM45-Q3V2-6CF8...
CVE-2025-30144
CVE-2025-30144 affects the fast-jwt library prior to 5.0.6, where iss validation incorrectly accepts an array of strings as a valid issuer. This permissive check can let an attacker forge a JWT containing an issuer array like [host, https://valid-iss], which may be accepted by verifiers (especial...