CVE-2026-35040Expected Behavior Violation in Fast-jwt

CWE-440Expected Behavior ViolationCWE-697Incorrect Comparison4 documents4 sources
Severity
5.3MEDIUMNVD
EPSS
0.1%
top 74.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nearform Fast-jwt
Timeline
PublishedApr 9

Description

fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt regardless of the validity of the token provided. Such modifiers are /g (global matching) and /y (sticky matching). This does NOT allow i

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

CVEListV5nearform/fast-jwt< 6.2.1
npmnearform/fast-jwt< 6.2.1

🔴Vulnerability Details

2
GHSA
fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)2026-04-09
OSV
fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)2026-04-09

🕵️Threat Intelligence

1
Wiz
CVE-2026-35040 Impact, Exploitability, and Mitigation Steps | Wiz