CVE-2026-35041 — Regex Denial of Service in Fast-jwt

CWE-1333 — Regex Denial of Service4 documents4 sources

Severity

4.2MEDIUMNVD

EPSS

0.0%

top 87.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nearform Fast-jwt

Timeline

PublishedApr 9

Description

fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the supplied RegExp, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification. This vulnerability is fixed in 6.2.1.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:HExploitability: 0.5 | Impact: 3.6

Affected Packages2 packages

▶npmnearform/fast-jwt5.0.0 — 6.2.1

▶CVEListV5nearform/fast-jwt>= 5.0.0, < 6.2.1

🔴Vulnerability Details

OSV

fast-jwt has a ReDoS when using RegExp in allowed* leading to CPU exhaustion during token verification↗2026-04-09

▶

GHSA

fast-jwt has a ReDoS when using RegExp in allowed* leading to CPU exhaustion during token verification↗2026-04-09

▶

🕵️Threat Intelligence

Wiz

CVE-2026-35041 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶