Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35041

CVE-2026-35041: fast-jwt DOS Vulnerability

CVE-2026-35041 is a denial-of-service flaw in fast-jwt that triggers catastrophic backtracking via crafted JWT tokens. This post covers technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2026-35041 Overview

CVE-2026-35041 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting the fast-jwt library, a fast JSON Web Token (JWT) implementation for Node.js. From versions 5.0.0 to 6.2.0, a denial-of-service condition exists when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the supplied RegExp, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification.

Critical Impact

Applications using fast-jwt with regular expression-based audience validation are vulnerable to CPU exhaustion attacks through maliciously crafted JWT tokens, potentially causing service degradation or complete denial of service.

Affected Products

  • fast-jwt versions 5.0.0 through 6.2.0
  • Node.js applications using vulnerable fast-jwt versions with RegExp-based allowedAud configuration

Discovery Timeline

  • 2026-04-09 - CVE-2026-35041 published to NVD
  • 2026-04-09 - Last updated in NVD database

Technical Details for CVE-2026-35041

Vulnerability Analysis

This vulnerability is classified under CWE-1333 (Inefficient Regular Expression Complexity). The fast-jwt library provides JWT verification functionality including audience (aud) claim validation. When developers configure the allowedAud option with a regular expression pattern, the library directly evaluates attacker-controlled input from the JWT's aud claim against this pattern.

The core issue stems from the lack of protection against regular expressions susceptible to catastrophic backtracking. When a malicious actor crafts a JWT with a specially designed aud claim value, the regex engine can enter an exponential time complexity state, consuming excessive CPU resources during the pattern matching operation.

Root Cause

The root cause is the unsafe evaluation of user-supplied JWT claim data against developer-provided regular expressions without first validating that the regex is resistant to ReDoS attacks. The library failed to implement safeguards such as regex complexity analysis or input length restrictions before performing pattern matching operations on attacker-controlled data.

Attack Vector

An attacker can exploit this vulnerability by sending crafted JWT tokens to an application that uses fast-jwt with a RegExp-based allowedAud configuration. The attack requires network access to submit the malicious token but needs the target application to be configured with a vulnerable regex pattern. The attacker constructs a JWT where the aud claim contains a string specifically designed to trigger catastrophic backtracking against the target's audience validation regex, causing the verification process to consume excessive CPU cycles.

The security fix introduces the safe-regex2 library to validate regular expressions before use:

javascript
 const { createPublicKey, createSecretKey } = require('node:crypto')
 const Cache = require('mnemonist/lru-cache')
 
+const safeRegex = require('safe-regex2')
+
 const { hsAlgorithms, verifySignature, detectPublicKeyAlgorithms } = require('./crypto')
 const createDecoder = require('./decoder')
 const { TokenError } = require('./error')

Source: GitHub Commit

Detection Methods for CVE-2026-35041

Indicators of Compromise

  • Abnormally high CPU utilization on servers performing JWT verification
  • Increased response latency or timeouts on authentication endpoints
  • Elevated memory consumption in Node.js processes handling JWT validation
  • Application logs showing slow or stalled JWT verification operations

Detection Strategies

  • Monitor application performance metrics for CPU spikes correlated with authentication requests
  • Implement request rate limiting and timeout controls on JWT verification endpoints
  • Use application performance monitoring (APM) tools to identify slow regex evaluation patterns
  • Review dependency manifests (package.json, package-lock.json) for vulnerable fast-jwt versions (5.0.0 to 6.2.0)

Monitoring Recommendations

  • Configure alerting for sustained CPU utilization above baseline thresholds on authentication services
  • Implement distributed tracing to identify bottlenecks in JWT verification pipelines
  • Monitor for patterns of repeated authentication attempts with unusual or malformed tokens
  • Set up resource consumption alerts for Node.js worker processes

How to Mitigate CVE-2026-35041

Immediate Actions Required

  • Upgrade fast-jwt to version 6.2.1 or later immediately
  • Audit applications using fast-jwt to identify those with RegExp-based allowedAud configurations
  • Implement request timeouts on authentication endpoints as an interim protection measure
  • Consider temporarily switching to string-based audience validation if upgrading is not immediately possible

Patch Information

The vulnerability is fixed in fast-jwt version 6.2.1. The fix integrates the safe-regex2 library to validate regular expressions against catastrophic backtracking patterns before they are used for claim validation. The patch is available via the GitHub Release v6.2.1. Detailed technical discussion can be found in the GitHub Pull Request and the GitHub Security Advisory GHSA-cjw9-ghj4-fwxf.

Workarounds

  • Replace RegExp-based allowedAud validation with explicit string matching where possible
  • Implement request timeout limits on JWT verification operations
  • Add input length validation on JWT tokens before processing
  • Deploy rate limiting on authentication endpoints to reduce attack surface
bash
# Upgrade fast-jwt to patched version
npm update fast-jwt@6.2.1

# Or explicitly install the patched version
npm install fast-jwt@^6.2.1

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.