{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35041", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T21:06:06.428Z", "datePublished": "2026-04-09T14:55:22.807Z", "dateUpdated": "2026-04-09T16:15:25.352Z"}, "containers": {"cna": {"title": "ReDoS in fast-jwt when using RegExp in allowed* leading to CPU exhaustion during token verification", "problemTypes": [{"descriptions": [{"cweId": "CWE-1333", "lang": "en", "description": "CWE-1333: Inefficient Regular Expression Complexity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-cjw9-ghj4-fwxf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-cjw9-ghj4-fwxf"}, {"name": "https://github.com/nearform/fast-jwt/pull/595", "tags": ["x_refsource_MISC"], "url": "https://github.com/nearform/fast-jwt/pull/595"}, {"name": "https://github.com/nearform/fast-jwt/commit/b0be0ca161593836a153d5180ca5358ad9b5de94", "tags": ["x_refsource_MISC"], "url": "https://github.com/nearform/fast-jwt/commit/b0be0ca161593836a153d5180ca5358ad9b5de94"}, {"name": "https://github.com/nearform/fast-jwt/releases/tag/v6.2.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/nearform/fast-jwt/releases/tag/v6.2.1"}], "affected": [{"vendor": "nearform", "product": "fast-jwt", "versions": [{"version": ">= 5.0.0, < 6.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T14:55:22.807Z"}, "descriptions": [{"lang": "en", "value": "fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the supplied RegExp, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification. This vulnerability is fixed in 6.2.1."}], "source": {"advisory": "GHSA-cjw9-ghj4-fwxf", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-cjw9-ghj4-fwxf", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T16:14:14.434470Z", "id": "CVE-2026-35041", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T16:15:25.352Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35041", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T16:14:14.434470Z"}}}], "references": [{"url": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-cjw9-ghj4-fwxf", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T16:14:24.545Z"}}], "cna": {"title": "ReDoS in fast-jwt when using RegExp in allowed* leading to CPU exhaustion during token verification", "source": {"advisory": "GHSA-cjw9-ghj4-fwxf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "nearform", "product": "fast-jwt", "versions": [{"status": "affected", "version": ">= 5.0.0, < 6.2.1"}]}], "references": [{"url": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-cjw9-ghj4-fwxf", "name": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-cjw9-ghj4-fwxf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nearform/fast-jwt/pull/595", "name": "https://github.com/nearform/fast-jwt/pull/595", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nearform/fast-jwt/commit/b0be0ca161593836a153d5180ca5358ad9b5de94", "name": "https://github.com/nearform/fast-jwt/commit/b0be0ca161593836a153d5180ca5358ad9b5de94", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nearform/fast-jwt/releases/tag/v6.2.1", "name": "https://github.com/nearform/fast-jwt/releases/tag/v6.2.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the supplied RegExp, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification. This vulnerability is fixed in 6.2.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1333", "description": "CWE-1333: Inefficient Regular Expression Complexity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T14:55:22.807Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35041", "state": "PUBLISHED", "dateUpdated": "2026-04-09T16:15:25.352Z", "dateReserved": "2026-03-31T21:06:06.428Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-09T14:55:22.807Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nearform:fast-jwt:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "0E23134A-F7C0-40FB-AB4C-5B056C011E0B", "versionEndExcluding": "6.2.1", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the supplied RegExp, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification. This vulnerability is fixed in 6.2.1."}], "id": "CVE-2026-35041", "lastModified": "2026-04-14T20:15:13.637", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-09T16:16:27.383", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nearform/fast-jwt/commit/b0be0ca161593836a153d5180ca5358ad9b5de94"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/nearform/fast-jwt/pull/595"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/nearform/fast-jwt/releases/tag/v6.2.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-cjw9-ghj4-fwxf"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-cjw9-ghj4-fwxf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0,6.2.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "fast-jwt", "source": "cna", "vendor": "nearform"}, "product": "fast-jwt", "vendor": "nearform"}], "analysis": {"en": {"generated_at": "2026-04-14T21:37:55.078314+00:00", "value": {"mitigation_remediation": ["Upgrade fast-jwt to version 6.2.1 or later.", "Review the library configuration to avoid using regular expressions for the allowedAud option; use literal strings or a static array of allowed values instead.", "Monitor application performance and verify that token verification no longer triggers high CPU usage after the upgrade."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the nearform Fast\u2011jwt library for Node.js. Versions from 5.0.0 through 6.2.0 are impacted. The issue is fixed in release 6.2.1 and later.", "description_and_impact": "A denial\u2011of\u2011service condition exists in the fast\u2011jwt library when the allowedAud verification option is configured with a regular expression. Attacker\u2011controlled JSON Web Token claim values are evaluated against the supplied RegExp, and a carefully crafted token can trigger catastrophic backtracking in the JavaScript regex engine. This results in elevated CPU consumption during verification, effectively exhausting server resources. The weakness is a classic Regular Expression Backtracking issue (CWE\u20111333).", "risk_and_exploitability": "The CVSS score is 4.2, indicating moderate severity, and the EPSS score is below 1%, suggesting a low probability of exploitation in the wild at present. However, once a malicious JWT is presented to an application using this library with a RegExp allowedAud configuration, the backtracking can be triggered, which may allow an attacker to cause out\u2011of\u2011band denial of service. The vulnerability is not listed in the CISA KEV catalog, but care should be taken as it can be exploited remotely via the application\u2019s authentication endpoint."}}}}, "created": "2026-04-10T08:53:18.800500+00:00", "updated": "2026-04-15T16:00:07.804237+00:00", "vendors": ["nearform", "nearform$PRODUCT$fast-jwt"]}