CVE-2026-35041
published 2026-04-09CVE-2026-35041: fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud…
PriorityP337medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.26%
17.5th percentile
fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the supplied RegExp, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification. This vulnerability is fixed in 6.2.1.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nearform | fast-jwt | — | — |
| nearform | fast-jwt | >= 5.0.0 < 6.2.1 | 6.2.1 |
| nearform | fast-jwt | >= 5.0.0 < 6.2.1 | 6.2.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
fast-jwt has a ReDoS when using RegExp in allowed* leading to CPU exhaustion during token verification
osv·2026-04-09
CVE-2026-35041 [MEDIUM] fast-jwt has a ReDoS when using RegExp in allowed* leading to CPU exhaustion during token verification
fast-jwt has a ReDoS when using RegExp in allowed* leading to CPU exhaustion during token verification
## ⚠️ IMPORTANT CLARIFICATIONS
### Affected Configurations
This vulnerability ONLY affects applications that:
- Use RegExp objects (not strings) in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options
- Configure patterns susceptible to catastrophic backtracking
- Example: `allowedAud: /^(a+)+X$/` ← VULNERABLE
- Example: `allowedAud: "api.company.com"` ← SAFE
### Not Affected
- Applications using string patterns for audience validation (most common)
- Applications using safe RegExp patterns without nested quantifiers
- Default fast-jwt configurations
### Assessment Guide
To determine if you're affected:
1. Check ifallowedAud, allowedIss, allowedSub, allowedJti,
GHSA
fast-jwt has a ReDoS when using RegExp in allowed* leading to CPU exhaustion during token verification
ghsa·2026-04-09
CVE-2026-35041 [MEDIUM] CWE-1333 fast-jwt has a ReDoS when using RegExp in allowed* leading to CPU exhaustion during token verification
fast-jwt has a ReDoS when using RegExp in allowed* leading to CPU exhaustion during token verification
## ⚠️ IMPORTANT CLARIFICATIONS
### Affected Configurations
This vulnerability ONLY affects applications that:
- Use RegExp objects (not strings) in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options
- Configure patterns susceptible to catastrophic backtracking
- Example: `allowedAud: /^(a+)+X$/` ← VULNERABLE
- Example: `allowedAud: "api.company.com"` ← SAFE
### Not Affected
- Applications using string patterns for audience validation (most common)
- Applications using safe RegExp patterns without nested quantifiers
- Default fast-jwt configurations
### Assessment Guide
To determine if you're affected:
1. Check ifallowedAud, allowedIss, allowedSub, allowedJti,
No detection rules found.
No public exploits indexed.
https://github.com/nearform/fast-jwt/commit/b0be0ca161593836a153d5180ca5358ad9b5de94https://github.com/nearform/fast-jwt/pull/595https://github.com/nearform/fast-jwt/releases/tag/v6.2.1https://github.com/nearform/fast-jwt/security/advisories/GHSA-cjw9-ghj4-fwxfhttps://github.com/nearform/fast-jwt/security/advisories/GHSA-cjw9-ghj4-fwxf
2026-04-09
Published