Vulnerability-Lookup

CVE-2026-35040 (GCVE-0-2026-35040)

Vulnerability from cvelistv5 – Published: 2026-04-09 14:52 – Updated: 2026-04-13 20:03

Title

fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)

Summary

fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt regardless of the validity of the token provided. Such modifiers are /g (global matching) and /y (sticky matching). This does NOT allow invalid tokens to be accepted, only for valid tokens to be improperly rejected in some configurations. Instead it causes 50% of valid authentication requests to fail in an alternating pattern. This vulnerability is fixed in 6.2.1.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-697 - Incorrect Comparison
CWE-440 - Expected Behavior Violation

Assigner

GitHub_M

References

URL

Tags

	https://github.com/nearform/fast-jwt/security/adv…	x_refsource_CONFIRM
	https://github.com/nearform/fast-jwt/pull/593	x_refsource_MISC
	https://github.com/nearform/fast-jwt/commit/18d25…	x_refsource_MISC
	https://github.com/nearform/fast-jwt/releases/tag…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	nearform	fast-jwt	Affected: < 6.2.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-35040",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-13T20:03:24.317971Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T20:03:41.746Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "fast-jwt",
          "vendor": "nearform",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 6.2.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt regardless of the validity of the token provided. Such modifiers are /g (global matching) and /y (sticky matching). This does NOT allow invalid tokens to be accepted, only for valid tokens to be improperly rejected in some configurations. Instead it causes 50% of valid authentication requests to fail in an alternating pattern. This vulnerability is fixed in 6.2.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-697",
              "description": "CWE-697: Incorrect Comparison",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-440",
              "description": "CWE-440: Expected Behavior Violation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-09T14:52:56.436Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-3j8v-cgw4-2g6q",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-3j8v-cgw4-2g6q"
        },
        {
          "name": "https://github.com/nearform/fast-jwt/pull/593",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nearform/fast-jwt/pull/593"
        },
        {
          "name": "https://github.com/nearform/fast-jwt/commit/18d25904e4617e8753526d1b3ab5a2cccdea726a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nearform/fast-jwt/commit/18d25904e4617e8753526d1b3ab5a2cccdea726a"
        },
        {
          "name": "https://github.com/nearform/fast-jwt/releases/tag/v6.2.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nearform/fast-jwt/releases/tag/v6.2.1"
        }
      ],
      "source": {
        "advisory": "GHSA-3j8v-cgw4-2g6q",
        "discovery": "UNKNOWN"
      },
      "title": "fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-35040",
    "datePublished": "2026-04-09T14:52:56.436Z",
    "dateReserved": "2026-03-31T21:06:06.428Z",
    "dateUpdated": "2026-04-13T20:03:41.746Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-35040",
      "date": "2026-04-27",
      "epss": "0.00093",
      "percentile": "0.25932"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-35040\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-09T16:16:27.213\",\"lastModified\":\"2026-04-17T20:10:05.477\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt regardless of the validity of the token provided. Such modifiers are /g (global matching) and /y (sticky matching). This does NOT allow invalid tokens to be accepted, only for valid tokens to be improperly rejected in some configurations. Instead it causes 50% of valid authentication requests to fail in an alternating pattern. This vulnerability is fixed in 6.2.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-440\"},{\"lang\":\"en\",\"value\":\"CWE-697\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nearform:fast-jwt:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"6.2.1\",\"matchCriteriaId\":\"2B44A0FB-C037-42E0-9666-7491FF59219D\"}]}]}],\"references\":[{\"url\":\"https://github.com/nearform/fast-jwt/commit/18d25904e4617e8753526d1b3ab5a2cccdea726a\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/nearform/fast-jwt/pull/593\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/nearform/fast-jwt/releases/tag/v6.2.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/nearform/fast-jwt/security/advisories/GHSA-3j8v-cgw4-2g6q\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-35040\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-13T20:03:24.317971Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-13T20:03:37.570Z\"}}], \"cna\": {\"title\": \"fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)\", \"source\": {\"advisory\": \"GHSA-3j8v-cgw4-2g6q\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"nearform\", \"product\": \"fast-jwt\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 6.2.1\"}]}], \"references\": [{\"url\": \"https://github.com/nearform/fast-jwt/security/advisories/GHSA-3j8v-cgw4-2g6q\", \"name\": \"https://github.com/nearform/fast-jwt/security/advisories/GHSA-3j8v-cgw4-2g6q\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/nearform/fast-jwt/pull/593\", \"name\": \"https://github.com/nearform/fast-jwt/pull/593\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/nearform/fast-jwt/commit/18d25904e4617e8753526d1b3ab5a2cccdea726a\", \"name\": \"https://github.com/nearform/fast-jwt/commit/18d25904e4617e8753526d1b3ab5a2cccdea726a\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/nearform/fast-jwt/releases/tag/v6.2.1\", \"name\": \"https://github.com/nearform/fast-jwt/releases/tag/v6.2.1\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt regardless of the validity of the token provided. Such modifiers are /g (global matching) and /y (sticky matching). This does NOT allow invalid tokens to be accepted, only for valid tokens to be improperly rejected in some configurations. Instead it causes 50% of valid authentication requests to fail in an alternating pattern. This vulnerability is fixed in 6.2.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-697\", \"description\": \"CWE-697: Incorrect Comparison\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-440\", \"description\": \"CWE-440: Expected Behavior Violation\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-09T14:52:56.436Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-35040\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-13T20:03:41.746Z\", \"dateReserved\": \"2026-03-31T21:06:06.428Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-09T14:52:56.436Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-35040

Vulnerability from fkie_nvd - Published: 2026-04-09 16:16 - Updated: 2026-04-17 20:10

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/nearform/fast-jwt/commit/18d25904e4617e8753526d1b3ab5a2cccdea726a	Patch
security-advisories@github.com	https://github.com/nearform/fast-jwt/pull/593	Issue Tracking, Patch
security-advisories@github.com	https://github.com/nearform/fast-jwt/releases/tag/v6.2.1	Product, Release Notes
security-advisories@github.com	https://github.com/nearform/fast-jwt/security/advisories/GHSA-3j8v-cgw4-2g6q	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	nearform	fast-jwt	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nearform:fast-jwt:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "2B44A0FB-C037-42E0-9666-7491FF59219D",
              "versionEndExcluding": "6.2.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt regardless of the validity of the token provided. Such modifiers are /g (global matching) and /y (sticky matching). This does NOT allow invalid tokens to be accepted, only for valid tokens to be improperly rejected in some configurations. Instead it causes 50% of valid authentication requests to fail in an alternating pattern. This vulnerability is fixed in 6.2.1."
    }
  ],
  "id": "CVE-2026-35040",
  "lastModified": "2026-04-17T20:10:05.477",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-09T16:16:27.213",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/nearform/fast-jwt/commit/18d25904e4617e8753526d1b3ab5a2cccdea726a"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/nearform/fast-jwt/pull/593"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/nearform/fast-jwt/releases/tag/v6.2.1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-3j8v-cgw4-2g6q"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-440"
        },
        {
          "lang": "en",
          "value": "CWE-697"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-3J8V-CGW4-2G6Q

Vulnerability from github – Published: 2026-04-09 16:41 – Updated: 2026-04-09 19:05

Summary

fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)

Details

Impact

Using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt regardless of the validity of the token provided.

Such modifiers are: - /g : Global matching - /y : Sticky matching

This does NOT allow invalid tokens to be accepted, only for valid tokens to be improperly rejected in some configurations. Instead it causes 50% of valid authentication requests to fail in an alternating pattern, leading to: - Intermittent user authentication failures - Potential retry storms in applications - Operational monitoring alerts

Affected Configurations

This vulnerability ONLY affects applications that:

Use RegExp objects (not strings) in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options
Use stateful RegExp modifiers such a /g or /y

Example: allowedAud: /abc/g ← IMPACTED Example: allowedAud: "/abc/" ← SAFE

Not Affected

Applications using string patterns for audience validation (most common)
Applications using RegExp patterns without stateful modifiers

Assessment Guide

To determine if you're affected:

Check if allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options use RegExp objects (/pattern/ or new RegExp()) If yes, review the pattern for stateful modifiers like /g, /y If no RegExp usage or no stateful modifiers, you are NOT affected

Mitigation Options

While a fix will be coming in the next version of the package you can take steps to mitigate the issue immediately by removing any such modifiers (/g, /y) from the regex.

Summary

fast-jwt accepts RegExp for allowedAud, allowedIss, allowedSub, allowedJti, and allowedNonce.

If the provided regular expression uses the g (global) or y (sticky) flag, verification becomes non-deterministic: the same valid token alternates between acceptance and rejection across successive calls.

This occurs because RegExp.prototype.test() is stateful when g/y is set (it mutates lastIndex), and fast-jwt reuses the same RegExp object without resetting lastIndex.

Affected component

src/verifier.js

ensureStringClaimMatcher() returns the RegExp object directly.

validateClaimValues() performs repeated a.test(v) calls without resetting lastIndex.

Impact

Logical denial-of-service / authentication flapping.

A valid signed JWT can be intermittently rejected.

Causes unpredictable authentication outcomes across repeated verification calls.

Can trigger retry storms and cascading failures in API gateways and authentication middleware.

Affects any deployment that configures allowed* using RegExp and includes g or y flags.

Root cause

validateClaimValues() uses: allowed.some(a => a.test(v))

When a is a RegExp with g or y, a.test() mutates a.lastIndex.

Subsequent calls against the same input can return different results.

Proof of concept

Environment

fast-jwt: 6.1.0 (repo HEAD)
Node.js: v24.13.1

PoC const { createSigner, createVerifier } = require('fast-jwt')

const sign = createSigner({ key: 'secret' }) const token = sign({ aud: 'admin', iss: 'issuer' })

run('allowedAud global regex', { allowedAud: /^admin$/g }) run('allowedIss global regex', { allowedIss: /^issuer$/g }) run('control (non-global regex)', { allowedAud: /^admin$/ })

Observed behavior

allowedAud with /g alternates PASS/FAIL across calls
allowedIss with /g alternates PASS/FAIL across calls
control regex (no g/y) is deterministic and always PASS

Expected behavior

Validation must be deterministic.

The same token under the same verifier configuration must always yield the same decision.

Suggested fix (minimal and safe)

Wrap RegExp matchers inside ensureStringClaimMatcher() to reset lastIndex before calling test(): if (r instanceof RegExp) { return { test: v => { r.lastIndex = 0; return r.test(v) } } }

This preserves semantics for non-global regexes, makes g/y deterministic, and avoids changes in the rest of the verifier logic.

Security classification

Logical DoS / authentication reliability failure.

This can be weaponized to produce production outages via retry storms and auth instability.

Why this is not “misuse”

The library explicitly accepts RegExp for allowed* claim validation.
The behavior difference is caused by internal state mutation of RegExp.test().
The same token, same verifier config, same runtime yields different outcomes.
Security decisions must be deterministic; non-determinism at the verification layer is a correctness flaw.
Consumers cannot reliably defend against this unless the library normalizes matcher state.

Notes

Affects allowedAud, allowedIss, allowedSub, allowedJti, allowedNonce equally (shared matcher logic).
Independent from the previously reported ReDoS; this is a determinism and correctness failure that can still produce production DoS effects.

PoC Code: 'use strict'

/* * PoC: Stateful RegExp flags (g/y) cause non-deterministic allowed-claim validation * fast-jwt reuses the same RegExp object; RegExp.test() mutates lastIndex when g/y is set. * * This script prints a human-readable log AND writes evidence to JSON. * * Usage: * node poc_regex_state_evidence.js /

const fs = require('node:fs') const path = require('node:path') const { createSigner, createVerifier } = require('fast-jwt')

const OUT_JSON = path.join(process.cwd(), 'evidence-regex-stateful-fastjwt.json') const OUT_LOG = path.join(process.cwd(), 'evidence-regex-stateful-fastjwt.log')

// Make a stable, valid token const sign = createSigner({ key: 'secret' }) const token = sign({ aud: 'admin', iss: 'issuer', sub: 'subject', jti: 'id-123', nonce: 'nonce-xyz' })

function runCase(name, verifierOpts, iterations = 12) { const verify = createVerifier({ key: 'secret', ...verifierOpts })

const results = [] for (let i = 0; i < iterations; i++) { try { verify(token) results.push({ i, ok: true }) } catch (e) { results.push({ i, ok: false, code: e.code || null, message: e.message || String(e) }) } }

return results }

function summarize(results) { const seq = results.map(r => (r.ok ? 'PASS' : 'FAIL')).join(' ') const pass = results.filter(r => r.ok).length const fail = results.length - pass return { pass, fail, seq } }

function printCase(name, opts, results) { const s = summarize(results) const lines = [] lines.push(== ${name}) lines.push(opts: ${JSON.stringify(opts)}) lines.push(PASS=${s.pass} FAIL=${s.fail}) lines.push(sequence: ${s.seq}) lines.push('') return lines.join('\n') }

function main() { const meta = { poc: 'stateful-regexp-allowed-claims', package: 'fast-jwt', node: process.version, timestamp: new Date().toISOString(), note: 'RegExp.test is stateful when g/y flags are set; lastIndex mutation causes alternating PASS/FAIL.' }

// Cases: g/y should flap, control should be stable const cases = [ { name: 'allowedAud with global RegExp /g (expected: flapping)', opts: { allowedAud: /^admin$/g } }, { name: 'allowedAud with sticky RegExp /y (expected: flapping)', opts: { allowedAud: /^admin$/y } }, { name: 'allowedIss with global RegExp /g (expected: flapping)', opts: { allowedIss: /^issuer$/g } }, { name: 'allowedSub with global RegExp /g (expected: flapping)', opts: { allowedSub: /^subject$/g } }, { name: 'allowedJti with global RegExp /g (expected: flapping)', opts: { allowedJti: /^id-123$/g } }, { name: 'allowedNonce with global RegExp /g (expected: flapping)', opts: { allowedNonce: /^nonce-xyz$/g } }, { name: 'CONTROL: allowedAud with non-global RegExp (expected: stable PASS)', opts: { allowedAud: /^admin$/ } } ]

const evidence = { meta, token: { alg: 'HS256 (autodetected by fast-jwt)', signed: true, jwt: token }, cases: [] }

let log = '' for (const c of cases) { const results = runCase(c.name, c.opts, 12) const s = summarize(results)

evidence.cases.push({
  name: c.name,
  opts: c.opts,
  iterations: results.length,
  pass: s.pass,
  fail: s.fail,
  sequence: s.seq,
  results
})

log += printCase(c.name, c.opts, results)

}

fs.writeFileSync(OUT_JSON, JSON.stringify(evidence, null, 2)) fs.writeFileSync(OUT_LOG, log)

console.log(log) console.log([+] Wrote JSON evidence: ${OUT_JSON}) console.log([+] Wrote LOG evidence : ${OUT_LOG}) }

main()

Output: PS C:\Users\Franciny Rojas\Desktop\crypto-research\fast-jwt> node .\poc_regex_state_evidence.js == allowedAud with global RegExp /g (expected: flapping) opts: {"allowedAud":{}} PASS=6 FAIL=6 sequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL == allowedAud with sticky RegExp /y (expected: flapping) opts: {"allowedAud":{}} PASS=6 FAIL=6 sequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL == allowedIss with global RegExp /g (expected: flapping) opts: {"allowedIss":{}} PASS=6 FAIL=6 sequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL == allowedSub with global RegExp /g (expected: flapping) opts: {"allowedSub":{}} PASS=6 FAIL=6 sequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL == allowedJti with global RegExp /g (expected: flapping) opts: {"allowedJti":{}} PASS=6 FAIL=6 sequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL == allowedNonce with global RegExp /g (expected: flapping) opts: {"allowedNonce":{}} PASS=6 FAIL=6 sequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL == CONTROL: allowedAud with non-global RegExp (expected: stable PASS) opts: {"allowedAud":{}} PASS=12 FAIL=0 sequence: PASS PASS PASS PASS PASS PASS PASS PASS PASS PASS PASS PASS

[+] Wrote JSON evidence: C:\Users\Franciny Rojas\Desktop\crypto-research\fast-jwt\evidence-regex-stateful-fastjwt.json [+] Wrote LOG evidence : C:\Users\Franciny Rojas\Desktop\crypto-research\fast-jwt\evidence-regex-stateful-fastjwt.log PS C:\Users\Franciny Rojas\Desktop\crypto-research\fast-jwt>

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "fast-jwt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35040"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440",
      "CWE-697"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-09T16:41:20Z",
    "nvd_published_at": "2026-04-09T16:16:27Z",
    "severity": "MODERATE"
  },
  "details": "## Impact\n\nUsing certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt regardless of the validity of the token provided.\n\nSuch modifiers are:\n- /g : Global matching\n- /y : Sticky matching\n\nThis does NOT allow invalid tokens to be accepted, only for valid tokens to be improperly rejected in some configurations. Instead it causes **50% of valid authentication requests to fail** in an alternating pattern, leading to:\n  - Intermittent user authentication failures\n  - Potential retry storms in applications\n  - Operational monitoring alerts\n\n## Affected Configurations\n\n### This vulnerability ONLY affects applications that:\n\n- Use RegExp objects (not strings) in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options\n- Use stateful RegExp modifiers such a /g or /y\n\nExample: allowedAud: /abc/g \u2190 IMPACTED\nExample: allowedAud: \"/abc/\" \u2190 SAFE\n\n### Not Affected\n\n- Applications using string patterns for audience validation (most common)\n- Applications using RegExp patterns without stateful modifiers\n\n### Assessment Guide\nTo determine if you\u0027re affected:\n\nCheck if  allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options use RegExp objects (/pattern/ or new RegExp())\nIf yes, review the pattern for stateful modifiers like /g, /y\nIf no RegExp usage or no stateful modifiers, you are NOT affected\n\n## Mitigation Options\nWhile a fix will be coming in the next version of the package you can take steps to mitigate the issue immediately by removing any such modifiers (/g, /y) from the regex.\n\n---\n\nSummary\n\nfast-jwt accepts RegExp for allowedAud, allowedIss, allowedSub, allowedJti, and allowedNonce.\n\nIf the provided regular expression uses the g (global) or y (sticky) flag, verification becomes non-deterministic: the same valid token alternates between acceptance and rejection across successive calls.\n\nThis occurs because RegExp.prototype.test() is stateful when g/y is set (it mutates lastIndex), and fast-jwt reuses the same RegExp object without resetting lastIndex.\n\n\nAffected component\n\nsrc/verifier.js\n\nensureStringClaimMatcher() returns the RegExp object directly.\n\nvalidateClaimValues() performs repeated a.test(v) calls without resetting lastIndex.\n\n\nImpact\n\nLogical denial-of-service / authentication flapping.\n\nA valid signed JWT can be intermittently rejected.\n\nCauses unpredictable authentication outcomes across repeated verification calls.\n\nCan trigger retry storms and cascading failures in API gateways and authentication middleware.\n\nAffects any deployment that configures allowed* using RegExp and includes g or y flags.\n\n\nRoot cause\n\nvalidateClaimValues() uses: allowed.some(a =\u003e a.test(v))\n\n\nWhen `a` is a RegExp with g or y, `a.test()` mutates `a.lastIndex`.\n\nSubsequent calls against the same input can return different results.\n\n\nProof of concept\n\nEnvironment\n\n- fast-jwt: 6.1.0 (repo HEAD)\n- Node.js: v24.13.1\n\nPoC\nconst { createSigner, createVerifier } = require(\u0027fast-jwt\u0027)\n\nconst sign = createSigner({ key: \u0027secret\u0027 })\nconst token = sign({ aud: \u0027admin\u0027, iss: \u0027issuer\u0027 })\n\nfunction run(name, opts) {\nconst verify = createVerifier({ key: \u0027secret\u0027, ...opts })\nconsole.log(\u0027\\n==\u0027, name)\nfor (let i = 0; i \u003c 8; i++) {\ntry { verify(token); console.log(i, \u0027PASS\u0027) }\ncatch (e) { console.log(i, \u0027FAIL\u0027, e.code || e.message) }\n}\n}\n\nrun(\u0027allowedAud global regex\u0027, { allowedAud: /^admin$/g })\nrun(\u0027allowedIss global regex\u0027, { allowedIss: /^issuer$/g })\nrun(\u0027control (non-global regex)\u0027, { allowedAud: /^admin$/ })\n\n\n\nObserved behavior\n\n- allowedAud with `/g` alternates PASS/FAIL across calls\n- allowedIss with `/g` alternates PASS/FAIL across calls\n- control regex (no g/y) is deterministic and always PASS\n\n\nExpected behavior\n\nValidation must be deterministic.\n\nThe same token under the same verifier configuration must always yield the same decision.\n\n\nSuggested fix (minimal and safe)\n\nWrap RegExp matchers inside ensureStringClaimMatcher() to reset lastIndex before calling test():\nif (r instanceof RegExp) {\nreturn { test: v =\u003e { r.lastIndex = 0; return r.test(v) } }\n}\n\n\nThis preserves semantics for non-global regexes, makes g/y deterministic, and avoids changes in the rest of the verifier logic.\n\n\nSecurity classification\n\nLogical DoS / authentication reliability failure.\n\nThis can be weaponized to produce production outages via retry storms and auth instability.\n\n\nWhy this is not \u201cmisuse\u201d\n\n- The library explicitly accepts RegExp for allowed* claim validation.\n- The behavior difference is caused by internal state mutation of RegExp.test().\n- The same token, same verifier config, same runtime yields different outcomes.\n- Security decisions must be deterministic; non-determinism at the verification layer is a correctness flaw.\n- Consumers cannot reliably defend against this unless the library normalizes matcher state.\n\n\nNotes\n\n- Affects allowedAud, allowedIss, allowedSub, allowedJti, allowedNonce equally (shared matcher logic).\n- Independent from the previously reported ReDoS; this is a determinism and correctness failure that can still produce production DoS effects.\n\n\nPoC Code:\n\u0027use strict\u0027\n\n/**\n * PoC: Stateful RegExp flags (g/y) cause non-deterministic allowed-claim validation\n * fast-jwt reuses the same RegExp object; RegExp.test() mutates lastIndex when g/y is set.\n *\n * This script prints a human-readable log AND writes evidence to JSON.\n *\n * Usage:\n *   node poc_regex_state_evidence.js\n */\n\nconst fs = require(\u0027node:fs\u0027)\nconst path = require(\u0027node:path\u0027)\nconst { createSigner, createVerifier } = require(\u0027fast-jwt\u0027)\n\nconst OUT_JSON = path.join(process.cwd(), \u0027evidence-regex-stateful-fastjwt.json\u0027)\nconst OUT_LOG  = path.join(process.cwd(), \u0027evidence-regex-stateful-fastjwt.log\u0027)\n\n// Make a stable, valid token\nconst sign = createSigner({ key: \u0027secret\u0027 })\nconst token = sign({\n  aud: \u0027admin\u0027,\n  iss: \u0027issuer\u0027,\n  sub: \u0027subject\u0027,\n  jti: \u0027id-123\u0027,\n  nonce: \u0027nonce-xyz\u0027\n})\n\nfunction runCase(name, verifierOpts, iterations = 12) {\n  const verify = createVerifier({ key: \u0027secret\u0027, ...verifierOpts })\n\n  const results = []\n  for (let i = 0; i \u003c iterations; i++) {\n    try {\n      verify(token)\n      results.push({ i, ok: true })\n    } catch (e) {\n      results.push({ i, ok: false, code: e.code || null, message: e.message || String(e) })\n    }\n  }\n\n  return results\n}\n\nfunction summarize(results) {\n  const seq = results.map(r =\u003e (r.ok ? \u0027PASS\u0027 : \u0027FAIL\u0027)).join(\u0027 \u0027)\n  const pass = results.filter(r =\u003e r.ok).length\n  const fail = results.length - pass\n  return { pass, fail, seq }\n}\n\nfunction printCase(name, opts, results) {\n  const s = summarize(results)\n  const lines = []\n  lines.push(`== ${name}`)\n  lines.push(`opts: ${JSON.stringify(opts)}`)\n  lines.push(`PASS=${s.pass} FAIL=${s.fail}`)\n  lines.push(`sequence: ${s.seq}`)\n  lines.push(\u0027\u0027)\n  return lines.join(\u0027\\n\u0027)\n}\n\nfunction main() {\n  const meta = {\n    poc: \u0027stateful-regexp-allowed-claims\u0027,\n    package: \u0027fast-jwt\u0027,\n    node: process.version,\n    timestamp: new Date().toISOString(),\n    note: \u0027RegExp.test is stateful when g/y flags are set; lastIndex mutation causes alternating PASS/FAIL.\u0027\n  }\n\n  // Cases: g/y should flap, control should be stable\n  const cases = [\n    {\n      name: \u0027allowedAud with global RegExp /g (expected: flapping)\u0027,\n      opts: { allowedAud: /^admin$/g }\n    },\n    {\n      name: \u0027allowedAud with sticky RegExp /y (expected: flapping)\u0027,\n      opts: { allowedAud: /^admin$/y }\n    },\n    {\n      name: \u0027allowedIss with global RegExp /g (expected: flapping)\u0027,\n      opts: { allowedIss: /^issuer$/g }\n    },\n    {\n      name: \u0027allowedSub with global RegExp /g (expected: flapping)\u0027,\n      opts: { allowedSub: /^subject$/g }\n    },\n    {\n      name: \u0027allowedJti with global RegExp /g (expected: flapping)\u0027,\n      opts: { allowedJti: /^id-123$/g }\n    },\n    {\n      name: \u0027allowedNonce with global RegExp /g (expected: flapping)\u0027,\n      opts: { allowedNonce: /^nonce-xyz$/g }\n    },\n    {\n      name: \u0027CONTROL: allowedAud with non-global RegExp (expected: stable PASS)\u0027,\n      opts: { allowedAud: /^admin$/ }\n    }\n  ]\n\n  const evidence = {\n    meta,\n    token: {\n      alg: \u0027HS256 (autodetected by fast-jwt)\u0027,\n      signed: true,\n      jwt: token\n    },\n    cases: []\n  }\n\n  let log = \u0027\u0027\n  for (const c of cases) {\n    const results = runCase(c.name, c.opts, 12)\n    const s = summarize(results)\n\n    evidence.cases.push({\n      name: c.name,\n      opts: c.opts,\n      iterations: results.length,\n      pass: s.pass,\n      fail: s.fail,\n      sequence: s.seq,\n      results\n    })\n\n    log += printCase(c.name, c.opts, results)\n  }\n\n  fs.writeFileSync(OUT_JSON, JSON.stringify(evidence, null, 2))\n  fs.writeFileSync(OUT_LOG, log)\n\n  console.log(log)\n  console.log(`[+] Wrote JSON evidence: ${OUT_JSON}`)\n  console.log(`[+] Wrote LOG evidence : ${OUT_LOG}`)\n}\n\nmain()\n\n\nOutput:\nPS C:\\Users\\Franciny Rojas\\Desktop\\crypto-research\\fast-jwt\u003e node .\\poc_regex_state_evidence.js\n== allowedAud with global RegExp /g (expected: flapping)\nopts: {\"allowedAud\":{}}\nPASS=6 FAIL=6\nsequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL\n== allowedAud with sticky RegExp /y (expected: flapping)\nopts: {\"allowedAud\":{}}\nPASS=6 FAIL=6\nsequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL\n== allowedIss with global RegExp /g (expected: flapping)\nopts: {\"allowedIss\":{}}\nPASS=6 FAIL=6\nsequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL\n== allowedSub with global RegExp /g (expected: flapping)\nopts: {\"allowedSub\":{}}\nPASS=6 FAIL=6\nsequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL\n== allowedJti with global RegExp /g (expected: flapping)\nopts: {\"allowedJti\":{}}\nPASS=6 FAIL=6\nsequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL\n== allowedNonce with global RegExp /g (expected: flapping)\nopts: {\"allowedNonce\":{}}\nPASS=6 FAIL=6\nsequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL\n== CONTROL: allowedAud with non-global RegExp (expected: stable PASS)\nopts: {\"allowedAud\":{}}\nPASS=12 FAIL=0\nsequence: PASS PASS PASS PASS PASS PASS PASS PASS PASS PASS PASS PASS\n\n[+] Wrote JSON evidence: C:\\Users\\Franciny Rojas\\Desktop\\crypto-research\\fast-jwt\\evidence-regex-stateful-fastjwt.json\n[+] Wrote LOG evidence : C:\\Users\\Franciny Rojas\\Desktop\\crypto-research\\fast-jwt\\evidence-regex-stateful-fastjwt.log\nPS C:\\Users\\Franciny Rojas\\Desktop\\crypto-research\\fast-jwt\u003e",
  "id": "GHSA-3j8v-cgw4-2g6q",
  "modified": "2026-04-09T19:05:11Z",
  "published": "2026-04-09T16:41:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-3j8v-cgw4-2g6q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35040"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nearform/fast-jwt/pull/593"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nearform/fast-jwt/commit/18d25904e4617e8753526d1b3ab5a2cccdea726a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nearform/fast-jwt"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nearform/fast-jwt/releases/tag/v6.2.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-35040 (GCVE-0-2026-35040)

FKIE_CVE-2026-35040

GHSA-3J8V-CGW4-2G6Q

Impact

Affected Configurations

This vulnerability ONLY affects applications that:

Not Affected

Assessment Guide

Mitigation Options

Tags

Sightings

Nomenclature