CVE-2026-35042
published 2026-04-06CVE-2026-35042: fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, fast-jwt does not validate the crit (Critical) Header Parameter defined in…
PriorityP340high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
0.15%
5.1th percentile
fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, fast-jwt does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that fast-jwt does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nearform | fast-jwt | < 6.2.0 | 6.2.0 |
| nearform | fast-jwt | <= 6.1.0 | — |
| nearform | fast-jwt | 0 – 6.1.0 | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
ghsa7.5HIGH
osv7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation)
ghsa·2026-04-03·CVSS 7.5
CVE-2026-35042 [HIGH] CWE-345 fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation)
fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation)
## Summary
`fast-jwt` does not validate the `crit` (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a `crit` array listing extensions that `fast-jwt` does not understand, the library accepts the token instead of rejecting it. This violates the **MUST** requirement in the RFC.
---
## RFC Requirement
RFC 7515 §4.1.11:
> If any of the listed extension Header Parameters are **not understood
> and supported** by the recipient, then the **JWS is invalid**.
---
## Proof of Concept
```javascript
const { createSigner, createVerifier } = require("fast-jwt"); // v3.3.3
const signer = createSigner({ key: "secret", algorithm: "HS256" });
const token = signer({
sub: "attacker",
role: "admin
OSV
fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation)
osv·2026-04-03·CVSS 7.5
CVE-2026-35042 [HIGH] fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation)
fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation)
## Summary
`fast-jwt` does not validate the `crit` (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a `crit` array listing extensions that `fast-jwt` does not understand, the library accepts the token instead of rejecting it. This violates the **MUST** requirement in the RFC.
---
## RFC Requirement
RFC 7515 §4.1.11:
> If any of the listed extension Header Parameters are **not understood
> and supported** by the recipient, then the **JWS is invalid**.
---
## Proof of Concept
```javascript
const { createSigner, createVerifier } = require("fast-jwt"); // v3.3.3
const signer = createSigner({ key: "secret", algorithm: "HS256" });
const token = signer({
sub: "attacker",
role: "admin
No detection rules found.
No public exploits indexed.
2026-04-06
Published