{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35039", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T21:06:06.428Z", "datePublished": "2026-04-06T16:59:43.124Z", "dateUpdated": "2026-05-13T15:12:43.989Z"}, "containers": {"cna": {"title": "fast-jwt Affected by Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup)", "problemTypes": [{"descriptions": [{"cweId": "CWE-345", "lang": "en", "description": "CWE-345: Insufficient Verification of Data Authenticity", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-706", "lang": "en", "description": "CWE-706: Use of Incorrectly-Resolved Name or Reference", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1289", "lang": "en", "description": "CWE-1289: Improper Validation of Unsafe Equivalence in Input", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-rp9m-7r4c-75qg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-rp9m-7r4c-75qg"}, {"name": "https://github.com/nearform/fast-jwt/commit/de121056c6415b58770c60640881eaec67ac4ceb", "tags": ["x_refsource_MISC"], "url": "https://github.com/nearform/fast-jwt/commit/de121056c6415b58770c60640881eaec67ac4ceb"}], "affected": [{"vendor": "nearform", "product": "fast-jwt", "versions": [{"version": ">= 0.0.1, < 6.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T11:54:39.776Z"}, "descriptions": [{"lang": "en", "value": "fast-jwt provides fast JSON Web Token (JWT) implementation. From 0.0.1 to before 6.2.0, setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cause tokens to be mis-identified during the verification process leading to valid tokens returning claims from different valid tokens and users being mis-identified as other users based on the wrong token. Version 6.2.0 contains a patch."}], "source": {"advisory": "GHSA-rp9m-7r4c-75qg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T14:25:32.378641Z", "id": "CVE-2026-35039", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-13T15:12:43.989Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35039", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T14:25:32.378641Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T14:25:39.607Z"}}], "cna": {"title": "fast-jwt Affected by Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup)", "source": {"advisory": "GHSA-rp9m-7r4c-75qg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "nearform", "product": "fast-jwt", "versions": [{"status": "affected", "version": ">= 0.0.1, < 6.2.0"}]}], "references": [{"url": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-rp9m-7r4c-75qg", "name": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-rp9m-7r4c-75qg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nearform/fast-jwt/commit/de121056c6415b58770c60640881eaec67ac4ceb", "name": "https://github.com/nearform/fast-jwt/commit/de121056c6415b58770c60640881eaec67ac4ceb", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "fast-jwt provides fast JSON Web Token (JWT) implementation. From 0.0.1 to before 6.2.0, setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cause tokens to be mis-identified during the verification process leading to valid tokens returning claims from different valid tokens and users being mis-identified as other users based on the wrong token. Version 6.2.0 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-345", "description": "CWE-345: Insufficient Verification of Data Authenticity"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-706", "description": "CWE-706: Use of Incorrectly-Resolved Name or Reference"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1289", "description": "CWE-1289: Improper Validation of Unsafe Equivalence in Input"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T11:54:39.776Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35039", "state": "PUBLISHED", "dateUpdated": "2026-05-13T15:12:43.989Z", "dateReserved": "2026-03-31T21:06:06.428Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T16:59:43.124Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nearform:fast-jwt:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "9B0182D1-3EBD-449D-91F1-DE0E6B616CE4", "versionEndExcluding": "6.1.0", "versionStartIncluding": "0.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "fast-jwt provides fast JSON Web Token (JWT) implementation. From 0.0.1 to before 6.2.0, setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cause tokens to be mis-identified during the verification process leading to valid tokens returning claims from different valid tokens and users being mis-identified as other users based on the wrong token. Version 6.2.0 contains a patch."}], "id": "CVE-2026-35039", "lastModified": "2026-04-22T19:05:01.623", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T17:17:13.243", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nearform/fast-jwt/commit/de121056c6415b58770c60640881eaec67ac4ceb"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-rp9m-7r4c-75qg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}, {"lang": "en", "value": "CWE-706"}, {"lang": "en", "value": "CWE-1289"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.1,6.1.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "fast-jwt", "source": "cna", "vendor": "nearform"}, "product": "fast-jwt", "vendor": "nearform"}], "analysis": {"en": {"generated_at": "2026-04-08T13:25:32.248507+00:00", "value": {"mitigation_remediation": ["Upgrade fast-jwt to version 6.2.0 or later, which contains a fix for cacheKeyBuilder collisions."], "summary": {"action": "Patch Immediately", "impact": "Authorization Mixup via Cache Collision"}, "threat_synthesis": {"affected_systems": "Node.js applications or other projects that depend on the nearform:fast-jwt package, specifically any installations using version 0.0.1 up to but not including 6.2.0.\nIf a custom cacheKeyBuilder is supplied, the risk applies regardless of the specific package version within that range.", "description_and_impact": "fast-jwt is a fast JSON Web Token implementation that, for versions 0.0.1 through 6.1.x, allowed a custom cacheKeyBuilder function that could be implemented incorrectly. When this function did not generate a unique key for each token, the library\u2019s cache could store a token\u2019s verification result under a key that later matched a different token. As a consequence, verification of one token could return claims from another valid token, causing a user to be misidentified as a different user. This defect permits an attacker to obtain the identity and authorization claims of another party without possessing the target\u2019s private key or token.", "risk_and_exploitability": "The vulnerability is scored highly with a CVSS 9.1 and a low EPSS (<1%), which means exploitation is possible but not yet widespread. It is not listed in the CISA KEV catalog, suggesting no known active exploitation at the time of the advisory. The likely attack scenario requires the attacker to influence the cacheKeyBuilder setting or supply a token that causes a built\u2011in cache collision. Successful exploitation would allow the attacker to impersonate another user or gain unauthorized access to resources that the victim\u2019s token is authorized to use."}}}}, "created": "2026-04-06T21:29:57.692404+00:00", "updated": "2026-04-08T19:50:37.115294+00:00", "vendors": ["nearform", "nearform$PRODUCT$fast-jwt"]}