CVE-2026-35039 Overview
CVE-2026-35039 is an Authorization Bypass vulnerability affecting fast-jwt, a high-performance JSON Web Token (JWT) implementation for Node.js applications. The vulnerability exists in versions 0.0.1 through 6.1.x and stems from improper cache key generation when using custom cacheKeyBuilder methods. When cache keys are not uniquely generated for different tokens, cache collisions can occur during the verification process, potentially causing tokens to be misidentified and users to be authenticated as other users.
Critical Impact
This vulnerability can lead to complete user identity bypass, allowing attackers to gain unauthorized access to other users' accounts and data through cache collision attacks on JWT verification.
Affected Products
- fast-jwt versions 0.0.1 through 6.1.x
- Node.js applications using fast-jwt with custom cacheKeyBuilder implementations
- Applications with JWT caching enabled and non-unique cache key generation
Discovery Timeline
- 2026-04-06 - CVE CVE-2026-35039 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-35039
Vulnerability Analysis
The vulnerability is classified under CWE-345 (Insufficient Verification of Data Authenticity) and affects the token verification caching mechanism in fast-jwt. When applications implement a custom cacheKeyBuilder method that does not generate sufficiently unique keys for different tokens, the verification cache can experience collisions. These collisions result in one token's claims being returned when verifying a completely different token.
The attack can be executed remotely without authentication and requires no user interaction. Successful exploitation compromises both the confidentiality and integrity of user sessions, as attackers can effectively impersonate other users by triggering cache key collisions during JWT verification.
Root Cause
The root cause lies in the application-level implementation of the cacheKeyBuilder function. When developers implement custom cache key generation logic that doesn't account for all distinguishing characteristics of a JWT, multiple different valid tokens can hash to the same cache key. The fast-jwt library prior to version 6.2.0 did not warn developers about the security implications of improper cache key construction, allowing silently vulnerable configurations to persist in production environments.
Attack Vector
An attacker can exploit this vulnerability by crafting JWTs that produce cache key collisions with other valid tokens in the system. The attack flow involves:
- Identifying or inferring the custom cacheKeyBuilder logic used by the target application
- Crafting a valid JWT that generates the same cache key as another user's token
- Submitting the crafted token during verification, which returns cached claims from the colliding token
- Gaining unauthorized access with the identity and permissions of the collided user
const allowedCritHeadersSet = new Set(allowedCritHeaders || [])
+ const cache = createCache(cacheSize)
+
+ if (cache && options?.cacheKeyBuilder) {
+ process.emitWarning(
+ 'A custom cacheKeyBuilder is in use with caching enabled. ' +
+ 'Cache key collisions can lead to identity/authorization bypass. ' +
+ 'Make sure your cacheKeyBuilder generates unique keys for different tokens. ' +
+ 'See https://github.com/nearform/fast-jwt/security/advisories/GHSA-rp9m-7r4c-75qg',
+ { code: 'FAST_JWT_CACHE_KEY_BUILDER_SECURITY_RISK' }
+ )
+ }
+
// Add validators
const validators = []
Source: GitHub Commit Update
Detection Methods for CVE-2026-35039
Indicators of Compromise
- Unexpected user session switches or identity changes in application logs
- Authentication logs showing users accessing resources they shouldn't have permissions for
- Multiple different user sessions resolving to the same cached token claims
- Warning messages with code FAST_JWT_CACHE_KEY_BUILDER_SECURITY_RISK in application logs (after upgrading to patched versions)
Detection Strategies
- Review application code for custom cacheKeyBuilder implementations in fast-jwt verifier configurations
- Audit JWT verification cache hit rates for anomalous patterns indicating collisions
- Implement logging around JWT verification to track claim mismatches between submitted and cached tokens
- Use static analysis tools to identify weak or insufficient cache key generation logic
Monitoring Recommendations
- Enable verbose logging for JWT verification operations to detect identity mismatches
- Monitor for the FAST_JWT_CACHE_KEY_BUILDER_SECURITY_RISK warning in application logs after upgrading
- Implement anomaly detection on user session behavior to identify sudden permission or role changes
- Track authentication events where token claims don't match expected user context
How to Mitigate CVE-2026-35039
Immediate Actions Required
- Upgrade fast-jwt to version 6.2.0 or later immediately
- Review all custom cacheKeyBuilder implementations to ensure unique key generation for different tokens
- Consider disabling JWT caching temporarily until a proper upgrade can be performed
- Audit recent authentication logs for signs of exploitation
Patch Information
The vulnerability has been patched in fast-jwt version 6.2.0. The fix introduces a process warning when custom cacheKeyBuilder methods are used with caching enabled, alerting developers to the security implications. The patch commit de121056c6415b58770c60640881eaec67ac4ceb implements this warning mechanism.
For detailed patch information, see the GitHub Security Advisory and the GitHub Commit Update.
Workarounds
- Remove custom cacheKeyBuilder implementations and use the default cache key generation
- Disable caching entirely by setting cacheSize to 0 or removing cache configuration
- Ensure custom cacheKeyBuilder functions include the complete token string or a cryptographic hash of the entire token
- Implement additional server-side validation to verify token claims match the authenticated user context
# Configuration example
# Update fast-jwt in your package.json
npm update fast-jwt@^6.2.0
# Verify the installed version
npm list fast-jwt
# If using yarn
yarn upgrade fast-jwt@^6.2.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
