CVE-2026-35041
MEDIUM
4,2
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: high
User Interaction: required
Scope: unchanged
Confidentiality: none
Integrity: none
Availability: high
Description
AI Translation Available
fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the supplied RegExp, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification. This vulnerability is fixed in 6.2.1.
EPSS (Exploit Prediction Scoring System)
Trend Analysis
EPSS (Exploit Prediction Scoring System)
Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.
EPSS Score
0,0003
Percentile
0,1th
Updated
EPSS Score Trend (Last 7 Days)
1333
Inefficient Regular Expression Complexity
DraftCommon Consequences
Security Scopes Affected:
Availability
Potential Impacts:
Dos: Resource Consumption (Cpu)
Applicable Platforms
All platforms may be affected
Application
Fast-Jwt by Nearform
Version Range Affected
From
5.0.0
(inclusive)
To
6.2.1
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:a:nearform:fast-jwt:*:*:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://github.com/nearform/fast-jwt/security/advisories/GHSA-cjw9-ghj4-fwxf
https://github.com/nearform/fast-jwt/commit/b0be0ca161593836a153d5180ca5358ad9b…
https://github.com/nearform/fast-jwt/pull/595
https://github.com/nearform/fast-jwt/releases/tag/v6.2.1
https://github.com/nearform/fast-jwt/security/advisories/GHSA-cjw9-ghj4-fwxf