6.5

CVE-2026-35041

Exploit

ReDoS in fast-jwt when using RegExp in allowed* leading to CPU exhaustion during token verification

fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the supplied RegExp, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification. This vulnerability is fixed in 6.2.1.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NearformFast-jwt SwPlatformnode.js Version >= 5.0.0 < 6.2.1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.26% 0.173
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com 4.2 0.5 3.6
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

https://github.com/nearform/fast-jwt/releases/tag/v6.2.1
Product
Release Notes
https://github.com/nearform/fast-jwt/commit/b0be0ca161593836a153d5180ca5358ad9b5de94
Patch
https://github.com/nearform/fast-jwt/pull/595
Patch
Issue Tracking
https://github.com/nearform/fast-jwt/security/advisories/GHSA-cjw9-ghj4-fwxf
Vendor Advisory
Exploit
Mitigation