{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35042", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T21:06:06.428Z", "datePublished": "2026-04-06T17:02:12.180Z", "dateUpdated": "2026-04-07T15:59:49.872Z"}, "containers": {"cna": {"title": "fast-jwt accepts unknown `crit` header extensions (RFC 7515 \u00a74.1.11 MUST violation)", "problemTypes": [{"descriptions": [{"cweId": "CWE-345", "lang": "en", "description": "CWE-345: Insufficient Verification of Data Authenticity", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-636", "lang": "en", "description": "CWE-636: Not Failing Securely ('Failing Open')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-hm7r-c7qw-ghp6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-hm7r-c7qw-ghp6"}, {"name": "https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.11", "tags": ["x_refsource_MISC"], "url": "https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.11"}], "affected": [{"vendor": "nearform", "product": "fast-jwt", "versions": [{"version": "<= 6.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T17:02:12.180Z"}, "descriptions": [{"lang": "en", "value": "fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, fast-jwt does not validate the crit (Critical) Header Parameter defined in RFC 7515 \u00a74.1.11. When a JWS token contains a crit array listing extensions that fast-jwt does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC."}], "source": {"advisory": "GHSA-hm7r-c7qw-ghp6", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-hm7r-c7qw-ghp6", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T15:19:36.239438Z", "id": "CVE-2026-35042", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T15:59:49.872Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35042", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T15:19:36.239438Z"}}}], "references": [{"url": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-hm7r-c7qw-ghp6", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T15:19:44.996Z"}}], "cna": {"title": "fast-jwt accepts unknown `crit` header extensions (RFC 7515 \u00a74.1.11 MUST violation)", "source": {"advisory": "GHSA-hm7r-c7qw-ghp6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "nearform", "product": "fast-jwt", "versions": [{"status": "affected", "version": "<= 6.1.0"}]}], "references": [{"url": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-hm7r-c7qw-ghp6", "name": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-hm7r-c7qw-ghp6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.11", "name": "https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.11", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, fast-jwt does not validate the crit (Critical) Header Parameter defined in RFC 7515 \u00a74.1.11. When a JWS token contains a crit array listing extensions that fast-jwt does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-345", "description": "CWE-345: Insufficient Verification of Data Authenticity"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-636", "description": "CWE-636: Not Failing Securely ('Failing Open')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T17:02:12.180Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35042", "state": "PUBLISHED", "dateUpdated": "2026-04-07T15:59:49.872Z", "dateReserved": "2026-03-31T21:06:06.428Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T17:02:12.180Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nearform:fast-jwt:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "FD2BA255-333A-4CF2-9B8E-C685DF7A11A9", "versionEndExcluding": "6.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, fast-jwt does not validate the crit (Critical) Header Parameter defined in RFC 7515 \u00a74.1.11. When a JWS token contains a crit array listing extensions that fast-jwt does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC."}], "id": "CVE-2026-35042", "lastModified": "2026-04-10T18:35:35.117", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T17:17:13.410", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-hm7r-c7qw-ghp6"}, {"source": "security-advisories@github.com", "tags": ["Technical Description"], "url": "https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.11"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-hm7r-c7qw-ghp6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}, {"lang": "en", "value": "CWE-636"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "fast-jwt", "source": "cna", "vendor": "nearform"}, "product": "fast-jwt", "vendor": "nearform"}], "analysis": {"en": {"generated_at": "2026-04-10T19:29:17.850195+00:00", "value": {"mitigation_remediation": ["Upgrade fast-jwt to a version that validates the crit header parameter; the latest releases incorporate the required RFC check.", "If an immediate upgrade is not feasible, modify the application to pre\u2011validate or reject any token that contains a crit header before it reaches fast-jwt.", "Audit the application for any use of fast-jwt in untrusted contexts and apply stricter input validation.", "Stay informed about vendor advisories and apply patches as soon as they are available."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Token Acceptance"}, "threat_synthesis": {"affected_systems": "Affected are installations of the fast-jwt library by nearform, specifically version 6.1.0 and all earlier releases. No patches are noted for later versions in the provided data, so the risk applies to all environments running those legacy releases.", "description_and_impact": "The vulnerability stems from fast-jwt\u2019s failure to validate the crit (Critical) Header Parameter defined in RFC 7515 \u00a74.1.11. When a JWS token includes a crit array listing extensions that the library does not understand, the implementation accepts the token instead of rejecting it. This behavior violates the mandatory requirement of the standard and allows a malicious actor to supply tokens with unknown or crafted extensions that may be interpreted incorrectly, potentially leading to authorization bypass or other unintended behavior. The weakness is consistent with CWE\u2011345 (Use of Externally\u2011Controlled Input to Select or Construct the Function or Path to Construct) and CWE\u2011636 (Conditional Logic Not Properly Guarded).", "risk_and_exploitability": "The CVSS Base score of 7.5 signals a high severity, while the EPSS score of less than 1% indicates a low likelihood of current exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers would deliver crafted JWTs\u2014often embedded in HTTP requests\u2014to trigger the library\u2019s acceptance of critically malformed tokens. Since fast-jwt commonly processes tokens transmitted over the network, the attack can be performed remotely, albeit it requires the attacker to gain the ability to supply the token through the application\u2019s input channel."}}}}, "created": "2026-04-06T21:29:56.698044+00:00", "updated": "2026-04-13T14:27:45.028002+00:00", "vendors": ["nearform", "nearform$PRODUCT$fast-jwt"]}