GHSA-CJW9-GHJ4-FWXF

Vulnerability from github – Published: 2026-04-09 16:41 – Updated: 2026-04-09 19:05
VLAI?
Summary
fast-jwt has a ReDoS when using RegExp in allowed* leading to CPU exhaustion during token verification
Details

⚠️ IMPORTANT CLARIFICATIONS

### Affected Configurations This vulnerability ONLY affects applications that: - Use RegExp objects (not strings) in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options - Configure patterns susceptible to catastrophic backtracking - Example: allowedAud: /^(a+)+X$/ ← VULNERABLE - Example: allowedAud: "api.company.com" ← SAFE

### Not Affected - Applications using string patterns for audience validation (most common) - Applications using safe RegExp patterns without nested quantifiers - Default fast-jwt configurations

### Assessment Guide To determine if you're affected: 1. Check ifallowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce use RegExp objects (/pattern/ or new RegExp()) 2. If yes, review the pattern for nested quantifiers like (a+)+, (.*)*, etc. 3. If no RegExp usage, you are NOT affected

Summary

A denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression.

Because the aud claim is attacker-controlled and the library evaluates it against the supplied RegExp, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification.

This occurs with a validly signed JWT, making the issue exploitable in authenticated contexts such as:

  • API gateways

  • authentication middleware

  • service-to-service communication

  • OAuth / OIDC token validation pipelines

Affected Component

  • Library: fast-jwt

  • Version tested: 6.1.0

  • Runtime: Node.js v24.13.1

  • Feature: claim validation using allowedAud: RegExp

Impact

CPU exhaustion / Denial of Service

A crafted JWT causes verification to take multiple seconds per request due to catastrophic regex backtracking.

Measured verification times

Input size (n) | Verification time -- | -- 24 | ~123 ms 28 | ~1.97 s 30 | ~7.85 s

This is sufficient to:

  • block Node.js event loop threads

  • degrade API throughput

  • cause cascading service failures

  • increase serverless execution costs

  • saturate authentication infrastructure

Root Cause

The library allows regular expressions in claim validation:

















allowedAud: /^(a+)+X$/

The aud claim is attacker-controlled:

















aud = "a".repeat(n) + "Y"

This creates catastrophic backtracking in the JavaScript regex engine.

Verification time grows exponentially as input length increases.

Exploitability

Attack requires:

  • a valid signed JWT (post-authentication context)

  • attacker control over the aud claim

  • a vulnerable regex configured by the application

Common real-world scenarios

  • shared HS secrets

  • internal JWT issuance

  • microservice authentication

  • OAuth / OIDC custom audiences

  • internal service tokens

Proof of Concept

Reproduction steps

  1. Install fast-jwt

  2. Configure verifier with a RegExp in allowedAud

  3. Send a valid signed JWT with adversarial aud

Attached artifacts

  • poc-suite-redos-fastjwt.js

  • evidence-redos-fastjwt.json

Observed behavior

Verification CPU time increases from milliseconds to multiple seconds as input length grows.

Security Classification

  • CWE-1333: Inefficient Regular Expression

  • CWE-400: Uncontrolled Resource Consumption

  • Class: Authenticated Denial of Service

Expected Behavior

The library should prevent unbounded CPU work on attacker-controlled claims.

Possible mitigations

  • safe-regex validation

  • maximum length enforcement for claims

  • regex complexity limits

  • documentation warning about ReDoS risks when using RegExp-based validation

Notes

Signature verification occurs before claim validation, therefore this is not a pre-authentication DoS.

However, the vulnerability remains exploitable in authenticated or token-bearing contexts and can significantly impact production environments.

Severity ?
4.2 (Medium)
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.2.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "fast-jwt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "6.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35041"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-09T16:41:40Z",
    "nvd_published_at": "2026-04-09T16:16:27Z",
    "severity": "MODERATE"
  },
  "details": "## \u26a0\ufe0f IMPORTANT CLARIFICATIONS\n\n  ### Affected Configurations\n  This vulnerability ONLY affects applications that:\n  - Use RegExp objects (not strings) in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options\n  - Configure patterns susceptible to catastrophic backtracking\n  - Example: `allowedAud: /^(a+)+X$/` \u2190 VULNERABLE\n  - Example: `allowedAud: \"api.company.com\"` \u2190 SAFE\n\n  ### Not Affected\n  - Applications using string patterns for audience validation (most common)\n  - Applications using safe RegExp patterns without nested quantifiers\n  - Default fast-jwt configurations\n\n  ### Assessment Guide\n  To determine if you\u0027re affected:\n  1. Check ifallowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce use RegExp objects (`/pattern/` or `new RegExp()`)\n  2. If yes, review the pattern for nested quantifiers like `(a+)+`, `(.*)*`, etc.\n  3. If no RegExp usage, you are NOT affected\n\n------\n\n\u003chtml\u003e\n\u003cbody\u003e\n\u003c!--StartFragment--\u003e\u003ch2 data-start=\"218\" data-end=\"228\"\u003eSummary\u003c/h2\u003e\n\u003cp data-start=\"230\" data-end=\"364\"\u003eA denial-of-service condition exists in \u003ccode data-start=\"270\" data-end=\"280\"\u003efast-jwt\u003c/code\u003e when the \u003ccode data-start=\"290\" data-end=\"302\"\u003eallowedAud\u003c/code\u003e verification option is configured using a regular expression.\u003c/p\u003e\n\u003cp data-start=\"366\" data-end=\"618\"\u003eBecause the \u003ccode data-start=\"378\" data-end=\"383\"\u003eaud\u003c/code\u003e claim is attacker-controlled and the library evaluates it against the supplied \u003ccode data-start=\"463\" data-end=\"471\"\u003eRegExp\u003c/code\u003e, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification.\u003c/p\u003e\n\u003cp data-start=\"620\" data-end=\"726\"\u003eThis occurs with a \u003cstrong data-start=\"639\" data-end=\"661\"\u003evalidly signed JWT\u003c/strong\u003e, making the issue exploitable in authenticated contexts such as:\u003c/p\u003e\n\u003cul data-start=\"728\" data-end=\"855\"\u003e\n\u003cli data-start=\"728\" data-end=\"744\"\u003e\n\u003cp data-start=\"730\" data-end=\"744\"\u003eAPI gateways\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"745\" data-end=\"774\"\u003e\n\u003cp data-start=\"747\" data-end=\"774\"\u003eauthentication middleware\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"775\" data-end=\"811\"\u003e\n\u003cp data-start=\"777\" data-end=\"811\"\u003eservice-to-service communication\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"812\" data-end=\"855\"\u003e\n\u003cp data-start=\"814\" data-end=\"855\"\u003eOAuth / OIDC token validation pipelines\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr data-start=\"857\" data-end=\"860\"\u003e\n\u003ch2 data-start=\"862\" data-end=\"883\"\u003eAffected Component\u003c/h2\u003e\n\u003cul data-start=\"885\" data-end=\"1035\"\u003e\n\u003cli data-start=\"885\" data-end=\"910\"\u003e\n\u003cp data-start=\"887\" data-end=\"910\"\u003e\u003cstrong data-start=\"887\" data-end=\"899\"\u003eLibrary:\u003c/strong\u003e fast-jwt\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"911\" data-end=\"940\"\u003e\n\u003cp data-start=\"913\" data-end=\"940\"\u003e\u003cstrong data-start=\"913\" data-end=\"932\"\u003eVersion tested:\u003c/strong\u003e 6.1.0\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"941\" data-end=\"974\"\u003e\n\u003cp data-start=\"943\" data-end=\"974\"\u003e\u003cstrong data-start=\"943\" data-end=\"955\"\u003eRuntime:\u003c/strong\u003e Node.js v24.13.1\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"975\" data-end=\"1035\"\u003e\n\u003cp data-start=\"977\" data-end=\"1035\"\u003e\u003cstrong data-start=\"977\" data-end=\"989\"\u003eFeature:\u003c/strong\u003e claim validation using \u003ccode data-start=\"1013\" data-end=\"1033\"\u003eallowedAud: RegExp\u003c/code\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr data-start=\"1037\" data-end=\"1040\"\u003e\n\u003ch2 data-start=\"1042\" data-end=\"1051\"\u003eImpact\u003c/h2\u003e\n\u003cp data-start=\"1053\" data-end=\"1091\"\u003e\u003cstrong data-start=\"1053\" data-end=\"1091\"\u003eCPU exhaustion / Denial of Service\u003c/strong\u003e\u003c/p\u003e\n\u003cp data-start=\"1093\" data-end=\"1203\"\u003eA crafted JWT causes verification to take multiple seconds per request due to catastrophic regex backtracking.\u003c/p\u003e\n\u003ch3 data-start=\"1205\" data-end=\"1236\"\u003eMeasured verification times\u003c/h3\u003e\n\u003cdiv class=\"TyagGW_tableContainer\"\u003e\u003cdiv tabindex=\"-1\" class=\"group TyagGW_tableWrapper flex flex-col-reverse w-fit\"\u003e\nInput size (n) | Verification time\n-- | --\n24 | ~123 ms\n28 | ~1.97 s\n30 | ~7.85 s\n\n\u003c/div\u003e\u003c/div\u003e\n\u003cp data-start=\"1339\" data-end=\"1361\"\u003eThis is sufficient to:\u003c/p\u003e\n\u003cul data-start=\"1363\" data-end=\"1546\"\u003e\n\u003cli data-start=\"1363\" data-end=\"1399\"\u003e\n\u003cp data-start=\"1365\" data-end=\"1399\"\u003eblock Node.js event loop threads\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"1400\" data-end=\"1426\"\u003e\n\u003cp data-start=\"1402\" data-end=\"1426\"\u003edegrade API throughput\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"1427\" data-end=\"1463\"\u003e\n\u003cp data-start=\"1429\" data-end=\"1463\"\u003ecause cascading service failures\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"1464\" data-end=\"1503\"\u003e\n\u003cp data-start=\"1466\" data-end=\"1503\"\u003eincrease serverless execution costs\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"1504\" data-end=\"1546\"\u003e\n\u003cp data-start=\"1506\" data-end=\"1546\"\u003esaturate authentication infrastructure\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr data-start=\"1548\" data-end=\"1551\"\u003e\n\u003ch2 data-start=\"1553\" data-end=\"1566\"\u003eRoot Cause\u003c/h2\u003e\n\u003cp data-start=\"1568\" data-end=\"1627\"\u003eThe library allows regular expressions in claim validation:\u003c/p\u003e\n\u003cpre class=\"overflow-visible! px-0!\" data-start=\"1629\" data-end=\"1661\"\u003e\u003cdiv class=\"w-full my-4\"\u003e\u003cdiv class=\"\"\u003e\u003cdiv class=\"relative\"\u003e\u003cdiv class=\"h-full min-h-0 min-w-0\"\u003e\u003cdiv class=\"h-full min-h-0 min-w-0\"\u003e\u003cdiv class=\"border corner-superellipse/1.1 border-token-border-light bg-token-bg-elevated-secondary rounded-3xl\"\u003e\u003cdiv class=\"pointer-events-none absolute inset-x-4 top-12 bottom-4\"\u003e\u003cdiv class=\"pointer-events-none sticky z-40 shrink-0 z-1!\"\u003e\u003cdiv class=\"sticky bg-token-border-light\"\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv class=\"pointer-events-none absolute inset-x-px top-0 bottom-96\"\u003e\u003cdiv class=\"pointer-events-none sticky z-40 shrink-0 z-1!\"\u003e\u003cdiv class=\"sticky bg-token-bg-elevated-secondary\"\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv class=\"corner-superellipse/1.1 rounded-3xl bg-token-bg-elevated-secondary\"\u003e\u003cdiv class=\"relative z-0 flex max-w-full\"\u003e\u003cdiv id=\"code-block-viewer\" dir=\"ltr\" class=\"q9tKkq_viewer cm-editor z-10 light:cm-light dark:cm-light flex h-full w-full flex-col items-stretch \u037cd \u037cr\"\u003e\u003cdiv class=\"cm-scroller\"\u003e\u003cdiv class=\"cm-content q9tKkq_readonly\"\u003e\u003cspan class=\"\u037co\"\u003eallowedAud\u003c/span\u003e\u003cspan\u003e: \u003c/span\u003e\u003cspan class=\"\u037ck\"\u003e/^(a+)+X$/\u003c/span\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv class=\"\"\u003e\u003cdiv class=\"\"\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/pre\u003e\n\u003cp data-start=\"1663\" data-end=\"1702\"\u003eThe \u003ccode data-start=\"1667\" data-end=\"1672\"\u003eaud\u003c/code\u003e claim is attacker-controlled:\u003c/p\u003e\n\u003cpre class=\"overflow-visible! px-0!\" data-start=\"1704\" data-end=\"1739\"\u003e\u003cdiv class=\"w-full my-4\"\u003e\u003cdiv class=\"\"\u003e\u003cdiv class=\"relative\"\u003e\u003cdiv class=\"h-full min-h-0 min-w-0\"\u003e\u003cdiv class=\"h-full min-h-0 min-w-0\"\u003e\u003cdiv class=\"border corner-superellipse/1.1 border-token-border-light bg-token-bg-elevated-secondary rounded-3xl\"\u003e\u003cdiv class=\"pointer-events-none absolute inset-x-4 top-12 bottom-4\"\u003e\u003cdiv class=\"pointer-events-none sticky z-40 shrink-0 z-1!\"\u003e\u003cdiv class=\"sticky bg-token-border-light\"\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv class=\"pointer-events-none absolute inset-x-px top-0 bottom-96\"\u003e\u003cdiv class=\"pointer-events-none sticky z-40 shrink-0 z-1!\"\u003e\u003cdiv class=\"sticky bg-token-bg-elevated-secondary\"\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv class=\"corner-superellipse/1.1 rounded-3xl bg-token-bg-elevated-secondary\"\u003e\u003cdiv class=\"relative z-0 flex max-w-full\"\u003e\u003cdiv id=\"code-block-viewer\" dir=\"ltr\" class=\"q9tKkq_viewer cm-editor z-10 light:cm-light dark:cm-light flex h-full w-full flex-col items-stretch \u037cd \u037cr\"\u003e\u003cdiv class=\"cm-scroller\"\u003e\u003cdiv class=\"cm-content q9tKkq_readonly\"\u003e\u003cspan class=\"\u037cm\"\u003eaud\u003c/span\u003e\u003cspan\u003e \u003c/span\u003e\u003cspan class=\"\u037cg\"\u003e=\u003c/span\u003e\u003cspan\u003e \u003c/span\u003e\u003cspan class=\"\u037ck\"\u003e\"a\"\u003c/span\u003e\u003cspan class=\"\u037cg\"\u003e.\u003c/span\u003e\u003cspan\u003erepeat(\u003c/span\u003e\u003cspan class=\"\u037cm\"\u003en\u003c/span\u003e\u003cspan\u003e) \u003c/span\u003e\u003cspan class=\"\u037cg\"\u003e+\u003c/span\u003e\u003cspan\u003e \u003c/span\u003e\u003cspan class=\"\u037ck\"\u003e\"Y\"\u003c/span\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv class=\"\"\u003e\u003cdiv class=\"\"\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/pre\u003e\n\u003cp data-start=\"1741\" data-end=\"1811\"\u003eThis creates catastrophic backtracking in the JavaScript regex engine.\u003c/p\u003e\n\u003cp data-start=\"1813\" data-end=\"1881\"\u003eVerification time grows \u003cstrong data-start=\"1837\" data-end=\"1854\"\u003eexponentially\u003c/strong\u003e as input length increases.\u003c/p\u003e\n\u003chr data-start=\"1883\" data-end=\"1886\"\u003e\n\u003ch2 data-start=\"1888\" data-end=\"1905\"\u003eExploitability\u003c/h2\u003e\n\u003cp data-start=\"1907\" data-end=\"1923\"\u003eAttack requires:\u003c/p\u003e\n\u003cul data-start=\"1925\" data-end=\"2066\"\u003e\n\u003cli data-start=\"1925\" data-end=\"1975\"\u003e\n\u003cp data-start=\"1927\" data-end=\"1975\"\u003ea valid signed JWT (post-authentication context)\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"1976\" data-end=\"2015\"\u003e\n\u003cp data-start=\"1978\" data-end=\"2015\"\u003eattacker control over the \u003ccode data-start=\"2004\" data-end=\"2009\"\u003eaud\u003c/code\u003e claim\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2016\" data-end=\"2066\"\u003e\n\u003cp data-start=\"2018\" data-end=\"2066\"\u003ea vulnerable regex configured by the application\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 data-start=\"2068\" data-end=\"2099\"\u003eCommon real-world scenarios\u003c/h3\u003e\n\u003cul data-start=\"2101\" data-end=\"2232\"\u003e\n\u003cli data-start=\"2101\" data-end=\"2120\"\u003e\n\u003cp data-start=\"2103\" data-end=\"2120\"\u003eshared HS secrets\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2121\" data-end=\"2144\"\u003e\n\u003cp data-start=\"2123\" data-end=\"2144\"\u003einternal JWT issuance\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2145\" data-end=\"2174\"\u003e\n\u003cp data-start=\"2147\" data-end=\"2174\"\u003emicroservice authentication\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2175\" data-end=\"2206\"\u003e\n\u003cp data-start=\"2177\" data-end=\"2206\"\u003eOAuth / OIDC custom audiences\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2207\" data-end=\"2232\"\u003e\n\u003cp data-start=\"2209\" data-end=\"2232\"\u003einternal service tokens\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr data-start=\"2234\" data-end=\"2237\"\u003e\n\u003ch2 data-start=\"2239\" data-end=\"2258\"\u003eProof of Concept\u003c/h2\u003e\n\u003ch3 data-start=\"2260\" data-end=\"2282\"\u003eReproduction steps\u003c/h3\u003e\n\u003col data-start=\"2284\" data-end=\"2407\"\u003e\n\u003cli data-start=\"2284\" data-end=\"2305\"\u003e\n\u003cp data-start=\"2287\" data-end=\"2305\"\u003eInstall \u003ccode data-start=\"2295\" data-end=\"2305\"\u003efast-jwt\u003c/code\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2306\" data-end=\"2357\"\u003e\n\u003cp data-start=\"2309\" data-end=\"2357\"\u003eConfigure verifier with a RegExp in \u003ccode data-start=\"2345\" data-end=\"2357\"\u003eallowedAud\u003c/code\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2358\" data-end=\"2407\"\u003e\n\u003cp data-start=\"2361\" data-end=\"2407\"\u003eSend a valid signed JWT with adversarial \u003ccode data-start=\"2402\" data-end=\"2407\"\u003eaud\u003c/code\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch3 data-start=\"2409\" data-end=\"2431\"\u003eAttached artifacts\u003c/h3\u003e\n\u003cul data-start=\"2433\" data-end=\"2495\"\u003e\n\u003cli data-start=\"2433\" data-end=\"2463\"\u003e\n\u003cp data-start=\"2435\" data-end=\"2463\"\u003e\u003ccode data-start=\"2435\" data-end=\"2463\"\u003epoc-suite-redos-fastjwt.js\u003c/code\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2464\" data-end=\"2495\"\u003e\n\u003cp data-start=\"2466\" data-end=\"2495\"\u003e\u003ccode data-start=\"2466\" data-end=\"2495\"\u003eevidence-redos-fastjwt.json\u003c/code\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 data-start=\"2497\" data-end=\"2518\"\u003eObserved behavior\u003c/h3\u003e\n\u003cp data-start=\"2520\" data-end=\"2612\"\u003eVerification CPU time increases from milliseconds to multiple seconds as input length grows.\u003c/p\u003e\n\u003chr data-start=\"2614\" data-end=\"2617\"\u003e\n\u003ch2 data-start=\"2619\" data-end=\"2645\"\u003eSecurity Classification\u003c/h2\u003e\n\u003cul data-start=\"2647\" data-end=\"2793\"\u003e\n\u003cli data-start=\"2647\" data-end=\"2695\"\u003e\n\u003cp data-start=\"2649\" data-end=\"2695\"\u003e\u003cstrong data-start=\"2649\" data-end=\"2662\"\u003eCWE-1333:\u003c/strong\u003e Inefficient Regular Expression\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2696\" data-end=\"2746\"\u003e\n\u003cp data-start=\"2698\" data-end=\"2746\"\u003e\u003cstrong data-start=\"2698\" data-end=\"2710\"\u003eCWE-400:\u003c/strong\u003e Uncontrolled Resource Consumption\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2747\" data-end=\"2793\"\u003e\n\u003cp data-start=\"2749\" data-end=\"2793\"\u003e\u003cstrong data-start=\"2749\" data-end=\"2759\"\u003eClass:\u003c/strong\u003e Authenticated Denial of Service\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr data-start=\"2795\" data-end=\"2798\"\u003e\n\u003ch2 data-start=\"2800\" data-end=\"2820\"\u003eExpected Behavior\u003c/h2\u003e\n\u003cp data-start=\"2822\" data-end=\"2898\"\u003eThe library should prevent unbounded CPU work on attacker-controlled claims.\u003c/p\u003e\n\u003ch3 data-start=\"2900\" data-end=\"2924\"\u003ePossible mitigations\u003c/h3\u003e\n\u003cul data-start=\"2926\" data-end=\"3092\"\u003e\n\u003cli data-start=\"2926\" data-end=\"2949\"\u003e\n\u003cp data-start=\"2928\" data-end=\"2949\"\u003esafe-regex validation\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2950\" data-end=\"2989\"\u003e\n\u003cp data-start=\"2952\" data-end=\"2989\"\u003emaximum length enforcement for claims\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2990\" data-end=\"3015\"\u003e\n\u003cp data-start=\"2992\" data-end=\"3015\"\u003eregex complexity limits\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"3016\" data-end=\"3092\"\u003e\n\u003cp data-start=\"3018\" data-end=\"3092\"\u003edocumentation warning about ReDoS risks when using RegExp-based validation\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr data-start=\"3094\" data-end=\"3097\"\u003e\n\u003ch2 data-start=\"3099\" data-end=\"3107\"\u003eNotes\u003c/h2\u003e\n\u003cp data-start=\"3109\" data-end=\"3215\"\u003eSignature verification occurs before claim validation, therefore this is \u003cstrong data-start=\"3182\" data-end=\"3214\"\u003enot a pre-authentication DoS\u003c/strong\u003e.\u003c/p\u003e\n\u003cp data-start=\"3217\" data-end=\"3360\"\u003eHowever, the vulnerability remains exploitable in authenticated or token-bearing contexts and can significantly impact production environments.\u003c/p\u003e\u003c!--EndFragment--\u003e\n\u003c/body\u003e\n\u003c/html\u003e",
  "id": "GHSA-cjw9-ghj4-fwxf",
  "modified": "2026-04-09T19:05:16Z",
  "published": "2026-04-09T16:41:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-cjw9-ghj4-fwxf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35041"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nearform/fast-jwt/pull/595"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nearform/fast-jwt/commit/b0be0ca161593836a153d5180ca5358ad9b5de94"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nearform/fast-jwt"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nearform/fast-jwt/releases/tag/v6.2.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "fast-jwt has a ReDoS when using RegExp in allowed* leading to CPU exhaustion during token verification"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.