Description
fast-jwt provides fast JSON Web Token (JWT) implementation. From 0.0.1 to before 6.2.0, setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cause tokens to be mis-identified during the verification process leading to valid tokens returning claims from different valid tokens and users being mis-identified as other users based on the wrong token. Version 6.2.0 contains a patch.
Published: 2026-04-06
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Mixup via Cache Collision
Action: Patch Immediately
AI Analysis

Impact

fast-jwt is a fast JSON Web Token implementation that, for versions 0.0.1 through 6.1.x, allowed a custom cacheKeyBuilder function that could be implemented incorrectly. When this function did not generate a unique key for each token, the library’s cache could store a token’s verification result under a key that later matched a different token. As a consequence, verification of one token could return claims from another valid token, causing a user to be misidentified as a different user. This defect permits an attacker to obtain the identity and authorization claims of another party without possessing the target’s private key or token.

Affected Systems

Node.js applications or other projects that depend on the nearform:fast-jwt package, specifically any installations using version 0.0.1 up to but not including 6.2.0. If a custom cacheKeyBuilder is supplied, the risk applies regardless of the specific package version within that range.

Risk and Exploitability

The vulnerability is scored highly with a CVSS 9.1 and a low EPSS (<1%), which means exploitation is possible but not yet widespread. It is not listed in the CISA KEV catalog, suggesting no known active exploitation at the time of the advisory. The likely attack scenario requires the attacker to influence the cacheKeyBuilder setting or supply a token that causes a built‑in cache collision. Successful exploitation would allow the attacker to impersonate another user or gain unauthorized access to resources that the victim’s token is authorized to use.

Generated by OpenCVE AI on April 8, 2026 at 13:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade fast-jwt to version 6.2.0 or later, which contains a fix for cacheKeyBuilder collisions.

Generated by OpenCVE AI on April 8, 2026 at 13:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rp9m-7r4c-75qg fast-jwt: Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup)
History

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nearform:fast-jwt:*:*:*:*:*:node.js:*:*

Wed, 08 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Description fast-jwt provides fast JSON Web Token (JWT) implementation. From 0.0.1 to before 6.1.0, setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cause tokens to be mis-identified during the verification process leading to valid tokens returning claims from different valid tokens and users being mis-identified as other users based on the wrong token. fast-jwt provides fast JSON Web Token (JWT) implementation. From 0.0.1 to before 6.2.0, setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cause tokens to be mis-identified during the verification process leading to valid tokens returning claims from different valid tokens and users being mis-identified as other users based on the wrong token. Version 6.2.0 contains a patch.
References

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Nearform
Nearform fast-jwt
Vendors & Products Nearform
Nearform fast-jwt

Mon, 06 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description fast-jwt provides fast JSON Web Token (JWT) implementation. From 0.0.1 to before 6.1.0, setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cause tokens to be mis-identified during the verification process leading to valid tokens returning claims from different valid tokens and users being mis-identified as other users based on the wrong token.
Title fast-jwt Affected by Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup)
Weaknesses CWE-1289
CWE-345
CWE-706
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Nearform Fast-jwt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T11:54:39.776Z

Reserved: 2026-03-31T21:06:06.428Z

Link: CVE-2026-35039

cve-icon Vulnrichment

Updated: 2026-04-07T14:25:39.607Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T17:17:13.243

Modified: 2026-04-22T19:05:01.623

Link: CVE-2026-35039

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:50:37Z

Weaknesses