CVE-2026-35041 Overview
CVE-2026-35041 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting the fast-jwt library, a fast JSON Web Token (JWT) implementation for Node.js. From versions 5.0.0 to 6.2.0, a denial-of-service condition exists when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the supplied RegExp, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification.
Critical Impact
Applications using fast-jwt with regular expression-based audience validation are vulnerable to CPU exhaustion attacks through maliciously crafted JWT tokens, potentially causing service degradation or complete denial of service.
Affected Products
- fast-jwt versions 5.0.0 through 6.2.0
- Node.js applications using vulnerable fast-jwt versions with RegExp-based allowedAud configuration
Discovery Timeline
- 2026-04-09 - CVE-2026-35041 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-35041
Vulnerability Analysis
This vulnerability is classified under CWE-1333 (Inefficient Regular Expression Complexity). The fast-jwt library provides JWT verification functionality including audience (aud) claim validation. When developers configure the allowedAud option with a regular expression pattern, the library directly evaluates attacker-controlled input from the JWT's aud claim against this pattern.
The core issue stems from the lack of protection against regular expressions susceptible to catastrophic backtracking. When a malicious actor crafts a JWT with a specially designed aud claim value, the regex engine can enter an exponential time complexity state, consuming excessive CPU resources during the pattern matching operation.
Root Cause
The root cause is the unsafe evaluation of user-supplied JWT claim data against developer-provided regular expressions without first validating that the regex is resistant to ReDoS attacks. The library failed to implement safeguards such as regex complexity analysis or input length restrictions before performing pattern matching operations on attacker-controlled data.
Attack Vector
An attacker can exploit this vulnerability by sending crafted JWT tokens to an application that uses fast-jwt with a RegExp-based allowedAud configuration. The attack requires network access to submit the malicious token but needs the target application to be configured with a vulnerable regex pattern. The attacker constructs a JWT where the aud claim contains a string specifically designed to trigger catastrophic backtracking against the target's audience validation regex, causing the verification process to consume excessive CPU cycles.
The security fix introduces the safe-regex2 library to validate regular expressions before use:
const { createPublicKey, createSecretKey } = require('node:crypto')
const Cache = require('mnemonist/lru-cache')
+const safeRegex = require('safe-regex2')
+
const { hsAlgorithms, verifySignature, detectPublicKeyAlgorithms } = require('./crypto')
const createDecoder = require('./decoder')
const { TokenError } = require('./error')
Source: GitHub Commit
Detection Methods for CVE-2026-35041
Indicators of Compromise
- Abnormally high CPU utilization on servers performing JWT verification
- Increased response latency or timeouts on authentication endpoints
- Elevated memory consumption in Node.js processes handling JWT validation
- Application logs showing slow or stalled JWT verification operations
Detection Strategies
- Monitor application performance metrics for CPU spikes correlated with authentication requests
- Implement request rate limiting and timeout controls on JWT verification endpoints
- Use application performance monitoring (APM) tools to identify slow regex evaluation patterns
- Review dependency manifests (package.json, package-lock.json) for vulnerable fast-jwt versions (5.0.0 to 6.2.0)
Monitoring Recommendations
- Configure alerting for sustained CPU utilization above baseline thresholds on authentication services
- Implement distributed tracing to identify bottlenecks in JWT verification pipelines
- Monitor for patterns of repeated authentication attempts with unusual or malformed tokens
- Set up resource consumption alerts for Node.js worker processes
How to Mitigate CVE-2026-35041
Immediate Actions Required
- Upgrade fast-jwt to version 6.2.1 or later immediately
- Audit applications using fast-jwt to identify those with RegExp-based allowedAud configurations
- Implement request timeouts on authentication endpoints as an interim protection measure
- Consider temporarily switching to string-based audience validation if upgrading is not immediately possible
Patch Information
The vulnerability is fixed in fast-jwt version 6.2.1. The fix integrates the safe-regex2 library to validate regular expressions against catastrophic backtracking patterns before they are used for claim validation. The patch is available via the GitHub Release v6.2.1. Detailed technical discussion can be found in the GitHub Pull Request and the GitHub Security Advisory GHSA-cjw9-ghj4-fwxf.
Workarounds
- Replace RegExp-based allowedAud validation with explicit string matching where possible
- Implement request timeout limits on JWT verification operations
- Add input length validation on JWT tokens before processing
- Deploy rate limiting on authentication endpoints to reduce attack surface
# Upgrade fast-jwt to patched version
npm update fast-jwt@6.2.1
# Or explicitly install the patched version
npm install fast-jwt@^6.2.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
