CVE-2026-35040 Overview
CVE-2026-35040 is a Denial of Service vulnerability affecting the fast-jwt library, a popular JSON Web Token (JWT) implementation for Node.js applications. The vulnerability arises from improper handling of stateful RegExp modifiers in JWT verification options, causing intermittent authentication failures that reject 50% of valid tokens in an alternating pattern.
Critical Impact
Applications using fast-jwt with /g (global) or /y (sticky) RegExp modifiers in verify options will experience 50% authentication failure rates, causing significant availability issues for legitimate users.
Affected Products
- fast-jwt versions prior to 6.2.1
- Node.js applications using affected fast-jwt versions with RegExp options in verify functions
- Authentication systems relying on allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options with stateful modifiers
Discovery Timeline
- 2026-04-09 - CVE CVE-2026-35040 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-35040
Vulnerability Analysis
This vulnerability is classified under CWE-440 (Expected Behavior Violation). The root issue lies in JavaScript's RegExp object behavior when certain modifiers are used. When a RegExp object with the /g (global) or /y (sticky) modifier is used in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce verification options, the stateful nature of these modifiers causes unintended behavior during token validation.
JavaScript RegExp objects with global (/g) or sticky (/y) flags maintain an internal lastIndex property that tracks where the next match should begin. After a successful match, lastIndex advances past the matched portion. On subsequent calls with the same RegExp object, the search begins from this new position rather than the start of the string. This causes every second verification attempt to fail, as the matcher starts from an incorrect position.
It is important to note that this vulnerability does NOT allow invalid tokens to bypass authentication. Rather, it causes legitimate, valid tokens to be improperly rejected approximately 50% of the time in an alternating success-failure pattern.
Root Cause
The vulnerability stems from the reuse of RegExp objects with stateful modifiers across multiple verification calls. When developers configure verification options using patterns like /^expected-issuer$/g instead of /^expected-issuer$/, the RegExp's internal state persists between calls, causing the alternating failure pattern.
Attack Vector
This is a network-accessible vulnerability that does not require authentication or user interaction to trigger. While not a traditional security bypass, the denial of service impact is significant:
The vulnerability manifests when an application configures JWT verification with stateful RegExp modifiers. Each verification attempt alternates between success and failure regardless of token validity. An attacker could exploit this by simply making repeated authentication requests, knowing that approximately half of legitimate user sessions will experience authentication failures. This creates service degradation without requiring any malicious payload.
The attack does not require special privileges or complex preconditions—any application using the affected configuration will exhibit this behavior under normal operation.
Detection Methods for CVE-2026-35040
Indicators of Compromise
- Intermittent authentication failures affecting approximately 50% of valid JWT verification attempts
- Alternating success/failure patterns in authentication logs that don't correlate with token validity
- User reports of random session failures or logout events
- Increased support tickets related to authentication issues with no clear pattern
Detection Strategies
- Review application code for RegExp objects using /g or /y modifiers in fast-jwt verify options
- Audit allowedAud, allowedIss, allowedSub, allowedJti, and allowedNonce configuration parameters
- Implement automated dependency scanning to identify fast-jwt versions below 6.2.1
- Monitor authentication success/failure ratios for unusual patterns indicating 50% failure rates
Monitoring Recommendations
- Implement authentication metrics tracking to detect abnormal failure rates
- Set up alerts for sudden increases in JWT verification failures
- Monitor application logs for RegExp-related errors during token verification
- Track user session continuity to identify unexplained authentication drops
How to Mitigate CVE-2026-35040
Immediate Actions Required
- Upgrade fast-jwt to version 6.2.1 or later immediately
- Review all JWT verification configurations for RegExp patterns with /g or /y modifiers
- Remove stateful modifiers from any RegExp patterns used in verification options
- Test authentication flows thoroughly after configuration changes
Patch Information
The vulnerability has been fixed in fast-jwt version 6.2.1. The fix is available through the GitHub Release Version 6.2.1. Technical details of the fix can be reviewed in the GitHub Commit Changes and the GitHub Pull Request Discussion. The official GitHub Security Advisory GHSA-3j8v-cgw4-2g6q provides additional context.
Workarounds
- Replace RegExp patterns using /g or /y modifiers with patterns without stateful flags
- Use string values instead of RegExp objects for simple matching requirements in verify options
- Create new RegExp instances for each verification call rather than reusing objects
- Consider using array values with multiple allowed strings instead of complex RegExp patterns
# Update fast-jwt to patched version
npm update fast-jwt@6.2.1
# Verify installed version
npm list fast-jwt
# Audit for vulnerable dependencies
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
