The vulnerability stems from fast-jwt’s failure to validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token includes a crit array listing extensions that the library does not understand, the implementation accepts the token instead of rejecting it. This behavior violates the mandatory requirement of the standard and allows a malicious actor to supply tokens with unknown or crafted extensions that may be interpreted incorrectly, potentially leading to authorization bypass or other unintended behavior. The weakness is consistent with CWE‑345 (Use of Externally‑Controlled Input to Select or Construct the Function or Path to Construct) and CWE‑636 (Conditional Logic Not Properly Guarded).

Affected are installations of the fast-jwt library by nearform, specifically version 6.1.0 and all earlier releases. No patches are noted for later versions in the provided data, so the risk applies to all environments running those legacy releases.

The CVSS Base score of 7.5 signals a high severity, while the EPSS score of less than 1% indicates a low likelihood of current exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers would deliver crafted JWTs—often embedded in HTTP requests—to trigger the library’s acceptance of critically malformed tokens. Since fast-jwt commonly processes tokens transmitted over the network, the attack can be performed remotely, albeit it requires the attacker to gain the ability to supply the token through the application’s input channel.