Denial-of-Service Vulnerability in Fast-JWT Library by Nearform
CVE-2026-35041

4.2MEDIUM

Key Information:

Vendor

Nearform

Status
Fast-jwt
Vendor
CVE Published:
9 April 2026

What is CVE-2026-35041?

The fast-jwt library, a fast implementation of JSON Web Token (JWT), contains a vulnerability that allows for a denial-of-service condition. When the 'allowedAud' verification option is utilized with a regular expression, crafted JWTs can be manipulated to trigger catastrophic backtracking in JavaScript’s regex engine. This results in excessive CPU usage during token verification, which can severely impact performance. The issue is resolved in version 6.2.1 of fast-jwt, emphasizing the importance of updating to mitigate potential risks.

Affected Version(s)

fast-jwt >= 5.0.0, < 6.2.1

References

https://github.com/nearform/fast-jwt/security/advisories/...
x_refsource_CONFIRM
https://github.com/nearform/fast-jwt/pull/595
x_refsource_MISC
https://github.com/nearform/fast-jwt/commit/b0be0ca161593...
x_refsource_MISC

CVSS V3.1

Score:
4.2
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.