Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35039

CVE-2026-35039: fast-jwt Auth Bypass Vulnerability

CVE-2026-35039 is an authentication bypass flaw in fast-jwt that causes cache collisions, leading to token misidentification and users being authenticated as other users. This article covers technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2026-35039 Overview

CVE-2026-35039 is an Authorization Bypass vulnerability affecting fast-jwt, a high-performance JSON Web Token (JWT) implementation for Node.js applications. The vulnerability exists in versions 0.0.1 through 6.1.x and stems from improper cache key generation when using custom cacheKeyBuilder methods. When cache keys are not uniquely generated for different tokens, cache collisions can occur during the verification process, potentially causing tokens to be misidentified and users to be authenticated as other users.

Critical Impact

This vulnerability can lead to complete user identity bypass, allowing attackers to gain unauthorized access to other users' accounts and data through cache collision attacks on JWT verification.

Affected Products

  • fast-jwt versions 0.0.1 through 6.1.x
  • Node.js applications using fast-jwt with custom cacheKeyBuilder implementations
  • Applications with JWT caching enabled and non-unique cache key generation

Discovery Timeline

  • 2026-04-06 - CVE CVE-2026-35039 published to NVD
  • 2026-04-08 - Last updated in NVD database

Technical Details for CVE-2026-35039

Vulnerability Analysis

The vulnerability is classified under CWE-345 (Insufficient Verification of Data Authenticity) and affects the token verification caching mechanism in fast-jwt. When applications implement a custom cacheKeyBuilder method that does not generate sufficiently unique keys for different tokens, the verification cache can experience collisions. These collisions result in one token's claims being returned when verifying a completely different token.

The attack can be executed remotely without authentication and requires no user interaction. Successful exploitation compromises both the confidentiality and integrity of user sessions, as attackers can effectively impersonate other users by triggering cache key collisions during JWT verification.

Root Cause

The root cause lies in the application-level implementation of the cacheKeyBuilder function. When developers implement custom cache key generation logic that doesn't account for all distinguishing characteristics of a JWT, multiple different valid tokens can hash to the same cache key. The fast-jwt library prior to version 6.2.0 did not warn developers about the security implications of improper cache key construction, allowing silently vulnerable configurations to persist in production environments.

Attack Vector

An attacker can exploit this vulnerability by crafting JWTs that produce cache key collisions with other valid tokens in the system. The attack flow involves:

  1. Identifying or inferring the custom cacheKeyBuilder logic used by the target application
  2. Crafting a valid JWT that generates the same cache key as another user's token
  3. Submitting the crafted token during verification, which returns cached claims from the colliding token
  4. Gaining unauthorized access with the identity and permissions of the collided user
javascript
 
   const allowedCritHeadersSet = new Set(allowedCritHeaders || [])
 
+  const cache = createCache(cacheSize)
+
+  if (cache && options?.cacheKeyBuilder) {
+    process.emitWarning(
+      'A custom cacheKeyBuilder is in use with caching enabled. ' +
+        'Cache key collisions can lead to identity/authorization bypass. ' +
+        'Make sure your cacheKeyBuilder generates unique keys for different tokens. ' +
+        'See https://github.com/nearform/fast-jwt/security/advisories/GHSA-rp9m-7r4c-75qg',
+      { code: 'FAST_JWT_CACHE_KEY_BUILDER_SECURITY_RISK' }
+    )
+  }
+
   // Add validators
   const validators = []

Source: GitHub Commit Update

Detection Methods for CVE-2026-35039

Indicators of Compromise

  • Unexpected user session switches or identity changes in application logs
  • Authentication logs showing users accessing resources they shouldn't have permissions for
  • Multiple different user sessions resolving to the same cached token claims
  • Warning messages with code FAST_JWT_CACHE_KEY_BUILDER_SECURITY_RISK in application logs (after upgrading to patched versions)

Detection Strategies

  • Review application code for custom cacheKeyBuilder implementations in fast-jwt verifier configurations
  • Audit JWT verification cache hit rates for anomalous patterns indicating collisions
  • Implement logging around JWT verification to track claim mismatches between submitted and cached tokens
  • Use static analysis tools to identify weak or insufficient cache key generation logic

Monitoring Recommendations

  • Enable verbose logging for JWT verification operations to detect identity mismatches
  • Monitor for the FAST_JWT_CACHE_KEY_BUILDER_SECURITY_RISK warning in application logs after upgrading
  • Implement anomaly detection on user session behavior to identify sudden permission or role changes
  • Track authentication events where token claims don't match expected user context

How to Mitigate CVE-2026-35039

Immediate Actions Required

  • Upgrade fast-jwt to version 6.2.0 or later immediately
  • Review all custom cacheKeyBuilder implementations to ensure unique key generation for different tokens
  • Consider disabling JWT caching temporarily until a proper upgrade can be performed
  • Audit recent authentication logs for signs of exploitation

Patch Information

The vulnerability has been patched in fast-jwt version 6.2.0. The fix introduces a process warning when custom cacheKeyBuilder methods are used with caching enabled, alerting developers to the security implications. The patch commit de121056c6415b58770c60640881eaec67ac4ceb implements this warning mechanism.

For detailed patch information, see the GitHub Security Advisory and the GitHub Commit Update.

Workarounds

  • Remove custom cacheKeyBuilder implementations and use the default cache key generation
  • Disable caching entirely by setting cacheSize to 0 or removing cache configuration
  • Ensure custom cacheKeyBuilder functions include the complete token string or a cryptographic hash of the entire token
  • Implement additional server-side validation to verify token claims match the authenticated user context
bash
# Configuration example
# Update fast-jwt in your package.json
npm update fast-jwt@^6.2.0

# Verify the installed version
npm list fast-jwt

# If using yarn
yarn upgrade fast-jwt@^6.2.0

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.