Description
fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the supplied RegExp, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification. This vulnerability is fixed in 6.2.1.
Published: 2026-04-09
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

A denial‑of‑service condition exists in the fast‑jwt library when the allowedAud verification option is configured with a regular expression. Attacker‑controlled JSON Web Token claim values are evaluated against the supplied RegExp, and a carefully crafted token can trigger catastrophic backtracking in the JavaScript regex engine. This results in elevated CPU consumption during verification, effectively exhausting server resources. The weakness is a classic Regular Expression Backtracking issue (CWE‑1333).

Affected Systems

The vulnerability affects the nearform Fast‑jwt library for Node.js. Versions from 5.0.0 through 6.2.0 are impacted. The issue is fixed in release 6.2.1 and later.

Risk and Exploitability

The CVSS score is 4.2, indicating moderate severity, and the EPSS score is below 1%, suggesting a low probability of exploitation in the wild at present. However, once a malicious JWT is presented to an application using this library with a RegExp allowedAud configuration, the backtracking can be triggered, which may allow an attacker to cause out‑of‑band denial of service. The vulnerability is not listed in the CISA KEV catalog, but care should be taken as it can be exploited remotely via the application’s authentication endpoint.

Generated by OpenCVE AI on April 14, 2026 at 21:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade fast-jwt to version 6.2.1 or later.
  • Review the library configuration to avoid using regular expressions for the allowedAud option; use literal strings or a static array of allowed values instead.
  • Monitor application performance and verify that token verification no longer triggers high CPU usage after the upgrade.

Generated by OpenCVE AI on April 14, 2026 at 21:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cjw9-ghj4-fwxf fast-jwt has a ReDoS when using RegExp in allowed* leading to CPU exhaustion during token verification
History

Tue, 14 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nearform:fast-jwt:*:*:*:*:*:node.js:*:*

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Nearform
Nearform fast-jwt
Vendors & Products Nearform
Nearform fast-jwt

Thu, 09 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the supplied RegExp, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification. This vulnerability is fixed in 6.2.1.
Title ReDoS in fast-jwt when using RegExp in allowed* leading to CPU exhaustion during token verification
Weaknesses CWE-1333
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Nearform Fast-jwt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T16:15:25.352Z

Reserved: 2026-03-31T21:06:06.428Z

Link: CVE-2026-35041

cve-icon Vulnrichment

Updated: 2026-04-09T16:14:24.545Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T16:16:27.383

Modified: 2026-04-14T20:15:13.637

Link: CVE-2026-35041

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:00:07Z

Weaknesses