CVE-2026-44351

EPSS 0.24%
Veröffentlicht 13.05.2026 19:12:33
Zuletzt bearbeitet 14.05.2026 19:16:37
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

fast-jwt: Empty HMAC secret accepted via async key resolver - JWT auth bypass

fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to forge arbitrary JWTs that are accepted as authentic. When the application's key resolver returns an empty string (''), for example via the common keys[decoded.header.kid] || '' JWKS-style fallback, fast-jwt converts it to a zero-length Buffer, hands it to crypto.createSecretKey, derives allowedAlgorithms = ['HS256','HS384','HS512'] from it, and then verifies the token's signature against an empty-key HMAC. The attacker simply computes HMAC-SHA256(key='', input='${header}.${payload}'), which Node accepts without complaint — and the verifier returns the attacker-chosen payload (sub, admin, scopes, etc.) as authentic. This vulnerability is fixed in 6.2.4.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 3 Referenzen 4

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellernearform

≫

Produkt fast-jwt

Version < 6.2.4

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.24%	0.144

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-1391 Use of Weak Credentials

The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-326 Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

https://github.com/nearform/fast-jwt/security/advisories/GHSA-gmvf-9v4p-v8jc

https://nvd.nist.gov/vuln/detail/CVE-2026-44351

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-44351

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-44351

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-44351