Description

fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the supplied RegExp, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification. This vulnerability is fixed in 6.2.1.

INFO

Published Date :

2026-04-09T14:55:22.807Z

Last Modified :

2026-04-09T16:15:25.352Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-35041 vulnerability.

Vendors Products
Nearform
  • Fast-jwt
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35041.

URL Resource
https://github.com/nearform/fast-jwt/commit/b0be0ca161593836a153d5180ca5358ad9b5de94 cve-icon cve-icon
https://github.com/nearform/fast-jwt/pull/595 cve-icon cve-icon
https://github.com/nearform/fast-jwt/releases/tag/v6.2.1 cve-icon cve-icon
https://github.com/nearform/fast-jwt/security/advisories/GHSA-cjw9-ghj4-fwxf cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact