Description
fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to forge arbitrary JWTs that are accepted as authentic. When the application's key resolver returns an empty string (''), for example via the common keys[decoded.header.kid] || '' JWKS-style fallback, fast-jwt converts it to a zero-length Buffer, hands it to crypto.createSecretKey, derives allowedAlgorithms = ['HS256','HS384','HS512'] from it, and then verifies the token's signature against an empty-key HMAC. The attacker simply computes HMAC-SHA256(key='', input='${header}.${payload}'), which Node accepts without complaint — and the verifier returns the attacker-chosen payload (sub, admin, scopes, etc.) as authentic. This vulnerability is fixed in 6.2.4.
Published: 2026-05-13
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs when fast‑jwt’s async key resolver returns an empty string. The library treats this as a zero‑length buffer, and Node’s crypto module accepts HMACs computed with an empty key. An attacker can therefore forge a JWT whose signature verifies against this empty key, setting arbitrary claims such as user id, role, or scopes. This flaw permits unauthorized elevation of privileges and maps to several weaknesses, including authentication failure (CWE‑287), cryptographic key weakness (CWE‑326), and failure to restrict input (CWE‑1391). The CVSS score of 9.1 reflects the high impact on confidentiality, integrity, and availability.

Affected Systems

The flaw affects the Nearform fast‑jwt JWT library. Any version prior to 6.2.4 is vulnerable. Applications that use the async key‑resolver path and allow an empty key—such as the common JWKS‑style pattern “keys[decoded.header.kid] || ''”—are at risk. If your project depends on fast‑jwt, verify that you are running 6.2.4 or later; otherwise the bug remains present.

Risk and Exploitability

With a CVSS score of 9.1 the risk is high. The EPSS score is not available, so the exact exploitation probability is unknown, but the flaw requires the key resolver to return an empty string—a configuration issue that many deployments may contain. An attacker can forge arbitrary JWTs to impersonate users, gain administrative access, or manipulate scopes. The vulnerability is not listed in the CISA KEV catalogue, but the seriousness of the flaw demands immediate action. The likely attack path is an application that resolves a missing key by defaulting to an empty string and a malicious actor leveraging a forged token in their requests.

Generated by OpenCVE AI on May 13, 2026 at 22:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade fast‑jwt to version 6.2.4 or later.
  • Review and adjust your async key resolver to return null or throw an error instead of an empty string for missing keys.
  • Add an explicit key length check and refuse HMAC signatures generated with a zero‑length key.

Generated by OpenCVE AI on May 13, 2026 at 22:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gmvf-9v4p-v8jc fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver
History

Thu, 14 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Nearform
Nearform fast-jwt
Vendors & Products Nearform
Nearform fast-jwt

Wed, 13 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to forge arbitrary JWTs that are accepted as authentic. When the application's key resolver returns an empty string (''), for example via the common keys[decoded.header.kid] || '' JWKS-style fallback, fast-jwt converts it to a zero-length Buffer, hands it to crypto.createSecretKey, derives allowedAlgorithms = ['HS256','HS384','HS512'] from it, and then verifies the token's signature against an empty-key HMAC. The attacker simply computes HMAC-SHA256(key='', input='${header}.${payload}'), which Node accepts without complaint — and the verifier returns the attacker-chosen payload (sub, admin, scopes, etc.) as authentic. This vulnerability is fixed in 6.2.4.
Title fast-jwt: Empty HMAC secret accepted via async key resolver - JWT auth bypass
Weaknesses CWE-1391
CWE-287
CWE-326
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Nearform Fast-jwt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T18:13:32.626Z

Reserved: 2026-05-05T19:52:59.148Z

Link: CVE-2026-44351

cve-icon Vulnrichment

Updated: 2026-05-14T18:13:23.007Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T20:16:22.860

Modified: 2026-05-14T19:16:37.050

Link: CVE-2026-44351

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T22:15:09Z

Weaknesses