CVE-2026-35042

Exploit

EPSS 0.02%
Veröffentlicht 06.04.2026 17:02:12
Zuletzt bearbeitet 10.04.2026 18:35:35
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, fast-jwt does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that fast-jwt does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nearform ≫ Fast-jwt SwPlatformnode.js Version < 6.2.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.054

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-345 Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

CWE-636 Not Failing Securely ('Failing Open')

When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.

https://github.com/nearform/fast-jwt/security/advisories/GHSA-hm7r-c7qw-ghp6

Vendor Advisory

Exploit

Mitigation

https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.11

Technical Description

https://nvd.nist.gov/vuln/detail/CVE-2026-35042

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-35042

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-35042

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-35042