SUSE CVE-2026-35611

Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking...

minimatch: minimatch: Denial of Service via specially crafted glob patterns

A flaw was found in minimatch. A remote attacker could exploit this Regular Expression Denial of Service ReDoS vulnerability by providing a specially crafted glob pattern. This pattern, containing numerous consecutive wildcard characters, causes excessive processing and exponential backtracking i...

Regular Expression Denial of Service (ReDoS)

Overview fast-jwt is a Fast JSON Web Token implementation Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options when used with RegExp objects and RegExp is configured with nest...

fast-jwt has a ReDoS when using RegExp in allowed* leading to CPU exhaustion during token verification

⚠️ IMPORTANT CLARIFICATIONS Affected Configurations This vulnerability ONLY affects applications that: - Use RegExp objects not strings in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options - Configure patterns susceptible to catastrophic backtracking - Example: allowedAud...

fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)

Impact Using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt...

GHSA-3J8V-CGW4-2G6Q fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)

Impact Using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt...

CVE-2026-35041

fast-jwt provides fast JSON Web Token JWT implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the...

CVE-2026-35040

fast-jwt provides fast JSON Web Token JWT implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are statef...

CVE-2026-35041

The CVE affects fast-jwt versions 5.0.0 through 6.2.0 where allowedAud verification uses a RegExp. The attacker-controlled aud claim, when matched against the provided RegExp, can trigger catastrophic backtracking in the JavaScript engine, causing CPU exhaustion during token verification. This vu...

CVE-2026-35041

fast-jwt provides fast JSON Web Token JWT implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the...

CVE-2026-35041 ReDoS in fast-jwt when using RegExp in allowed* leading to CPU exhaustion during token verification

fast-jwt provides fast JSON Web Token JWT implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the...

CVE-2026-35040 fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)

fast-jwt provides fast JSON Web Token JWT implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are statef...

CVE-2026-35040

CVE-2026-35040 affects the fast-jwt library prior to version 6.2.1. The issue involves stateful RegExp modifiers /g and /y used in allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce verify options, which can cause 50% of valid authentication attempts to fail in an alternating pattern...

minimatch: minimatch: Denial of Service via specially crafted glob patterns

A flaw was found in minimatch. A remote attacker could exploit this Regular Expression Denial of Service ReDoS vulnerability by providing a specially crafted glob pattern. This pattern, containing numerous consecutive wildcard characters, causes excessive processing and exponential backtracking i...

SUSE-SU-2026:1232-1 Security update for cockpit

This update for cockpit fixes the following issues: - CVE-2026-25547: brace-expansion: unbounded brace range expansion can lead to excessive CPU and memory consumption and may crash a Node.js process bsc1257836. - CVE-2026-26996: minimatch: ReDoS when glob pattern contains many consecutive...

SUSE-SU-2026:21215-1 Security update for patterns-glibc-hwcaps

This update for patterns-glibc-hwcaps fixes the following issues: The pattern is moved from PackageHub to regular SLES. It requires packages for the x8664 v3 architecture and is automatically pulled in when this architecture is present. These packages are optimized for the x8664 v3 architecture t...

OPENSUSE-SU-2026:20803-1 Security update for patterns-glibc-hwcaps

This update for patterns-glibc-hwcaps fixes the following issues: The pattern is moved from PackageHub to regular SLES. It requires packages for the x8664 v3 architecture and is automatically pulled in when this architecture is present. These packages are optimized for the x8664 v3 architecture t...

Regular Expression Denial Of Service (ReDoS)

minimatch is vulnerable to Regular Expression Denial of Service ReDoS. The vulnerability is due to inefficient handling of multiple consecutive wildcards in glob patterns, leading to exponential backtracking in regex evaluation, which allows an attacker to cause significant performance degradatio...

Regular Expression Denial Of Service (ReDoS)

minimatch is vulnerable to Regular Expression Denial of Service ReDoS. The vulnerability is due to nested extglob patterns generating regex with unbounded quantifiers, which allows an attacker to trigger catastrophic backtracking via crafted patterns and inputs, leading to significant performance...

PT-2026-31622

fast-jwt provides fast JSON Web Token JWT implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the...