Description
fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt regardless of the validity of the token provided. Such modifiers are /g (global matching) and /y (sticky matching). This does NOT allow invalid tokens to be accepted, only for valid tokens to be improperly rejected in some configurations. Instead it causes 50% of valid authentication requests to fail in an alternating pattern. This vulnerability is fixed in 6.2.1.
Published: 2026-04-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Failure / Denial
Action: Patch
AI Analysis

Impact

A stateful RegExp modifier applied to claims such as allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce causes every second verification attempt to fail, even when the token is valid. The effect is a logical denial‑of‑service in authentication, where 50% of legitimate requests are rejected with no unauthorized access or data breach.

Affected Systems

The issue is present in the nearform fast‑jwt library, affecting all releases prior to version 6.2.1. The defect was addressed in the 6.2.1 release and later. Applications that depend on fast‑jwt for JWT validation and that use RegExp modifiers /g or /y in the claim‑validation options are impacted.

Risk and Exploitability

The CVSS score of 5.3 reflects moderate impact. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. An attacker who can influence the verification call (for example by controlling the RegExp flags in the payload or by submitting crafted tokens to an authentication endpoint) would cause intermittent authentication failures, potentially degrading service availability. Direct exploitation does not lead to privilege escalation or data disclosure.

Generated by OpenCVE AI on April 9, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade fast-jwt to version 6.2.1 or later.

Generated by OpenCVE AI on April 9, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3j8v-cgw4-2g6q fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)
History

Fri, 17 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nearform:fast-jwt:*:*:*:*:*:node.js:*:*

Mon, 13 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Nearform
Nearform fast-jwt
Vendors & Products Nearform
Nearform fast-jwt

Thu, 09 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt regardless of the validity of the token provided. Such modifiers are /g (global matching) and /y (sticky matching). This does NOT allow invalid tokens to be accepted, only for valid tokens to be improperly rejected in some configurations. Instead it causes 50% of valid authentication requests to fail in an alternating pattern. This vulnerability is fixed in 6.2.1.
Title fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)
Weaknesses CWE-440
CWE-697
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Nearform Fast-jwt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T20:03:41.746Z

Reserved: 2026-03-31T21:06:06.428Z

Link: CVE-2026-35040

cve-icon Vulnrichment

Updated: 2026-04-13T20:03:37.570Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T16:16:27.213

Modified: 2026-04-17T20:10:05.477

Link: CVE-2026-35040

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:32:32Z

Weaknesses