{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34950", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T17:27:08.661Z", "datePublished": "2026-04-06T15:54:03.765Z", "dateUpdated": "2026-04-06T18:43:16.088Z"}, "containers": {"cna": {"title": "fast-jwt has an incomplete fix for CVE-2023-48223: JWT Algorithm Confusion via Whitespace-Prefixed RSA Public Key", "problemTypes": [{"descriptions": [{"cweId": "CWE-327", "lang": "en", "description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-mvf2-f6gm-w987", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-mvf2-f6gm-w987"}], "affected": [{"vendor": "nearform", "product": "fast-jwt", "versions": [{"version": "<= 6.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T15:54:03.765Z"}, "descriptions": [{"lang": "en", "value": "fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, the publicKeyPemMatcher regex in fast-jwt/src/crypto.js uses a ^ anchor that is defeated by any leading whitespace in the key string, re-enabling the exact same JWT algorithm confusion attack that CVE-2023-48223 patched."}], "source": {"advisory": "GHSA-mvf2-f6gm-w987", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T18:43:07.105733Z", "id": "CVE-2026-34950", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T18:43:16.088Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34950", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-06T18:43:07.105733Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T18:43:12.442Z"}}], "cna": {"title": "fast-jwt has an incomplete fix for CVE-2023-48223: JWT Algorithm Confusion via Whitespace-Prefixed RSA Public Key", "source": {"advisory": "GHSA-mvf2-f6gm-w987", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "nearform", "product": "fast-jwt", "versions": [{"status": "affected", "version": "<= 6.1.0"}]}], "references": [{"url": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-mvf2-f6gm-w987", "name": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-mvf2-f6gm-w987", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, the publicKeyPemMatcher regex in fast-jwt/src/crypto.js uses a ^ anchor that is defeated by any leading whitespace in the key string, re-enabling the exact same JWT algorithm confusion attack that CVE-2023-48223 patched."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-327", "description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T15:54:03.765Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34950", "state": "PUBLISHED", "dateUpdated": "2026-04-06T18:43:16.088Z", "dateReserved": "2026-03-31T17:27:08.661Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T15:54:03.765Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nearform:fast-jwt:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "FD2BA255-333A-4CF2-9B8E-C685DF7A11A9", "versionEndExcluding": "6.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, the publicKeyPemMatcher regex in fast-jwt/src/crypto.js uses a ^ anchor that is defeated by any leading whitespace in the key string, re-enabling the exact same JWT algorithm confusion attack that CVE-2023-48223 patched."}], "id": "CVE-2026-34950", "lastModified": "2026-04-22T20:17:47.310", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T16:16:38.017", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-mvf2-f6gm-w987"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-327"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "fast-jwt", "source": "cna", "vendor": "nearform"}, "product": "fast-jwt", "vendor": "nearform"}], "analysis": {"en": {"generated_at": "2026-04-06T19:39:09.367053+00:00", "value": {"mitigation_remediation": ["Upgrade fast\u2011jwt to the latest stable release where the regex has been corrected. ", "In environments where an immediate upgrade is not possible, ensure that any JWT key strings are trimmed of leading whitespace before being passed to the library."], "summary": {"action": "Apply Patch", "impact": "JWT Algorithm Confusion \u2013 Unauthorized Token Forgery"}, "threat_synthesis": {"affected_systems": "The affected product is the nearform fast\u2011jwt library. Versions 6.1.0 and any earlier releases contain the flaw; newer releases are not affected. This applies to all applications that depend on fast\u2011jwt for JWT verification, especially those using RSA public key verification.", "description_and_impact": "The vulnerability arises from an incomplete patch of a prior JWT algorithm confusion flaw. In fast\u2011jwt versions 6.1.0 and earlier, the public key matching regular expression incorrectly accepts a key string that begins with whitespace, causing the regex to fail at the start anchor. This re\u2011enables the ability to manipulate the algorithm field of a JWT and trick the library into verifying a forged token. The flaw is categorized as CWE\u2011327, representing the misuse of cryptographic algorithms. If exploited, an attacker could generate valid\u2011looking tokens that grant unauthorized access to protected resources, undermining confidentiality and integrity of the service.", "risk_and_exploitability": "With a CVSS score of 9.1, the vulnerability is considered critical. While an EPSS score is not available, the high severity rating indicates a significant risk if the flaw is present. The attack likely occurs remotely by supplying a crafted JWT with a whitespace\u2011prefixed RSA public key to services that use fast\u2011jwt, allowing token forgery. The vulnerability does not appear in the CISA Known Exploited Vulnerabilities catalog, but the lack of a patch in older versions makes it a high\u2011risk issue for systems still running 6.1.0 or earlier."}}}}, "created": "2026-04-06T20:13:51.898855+00:00", "updated": "2026-04-06T21:31:48.411706+00:00", "vendors": ["nearform", "nearform$PRODUCT$fast-jwt"]}