CVE-2026-44351 Overview
CVE-2026-44351 is an authentication bypass vulnerability in fast-jwt, a high-performance JSON Web Token (JWT) implementation for Node.js. Versions prior to 6.2.4 accept forged tokens when the async key resolver returns an empty string. Unauthenticated attackers can craft arbitrary JWT payloads — including elevated sub, admin, or scopes claims — that the library validates as authentic. The flaw is classified under CWE-287: Improper Authentication and is fixed in version 6.2.4.
Critical Impact
Any unauthenticated attacker can forge valid JWTs and impersonate any user when the application uses a JWKS-style fallback that returns an empty key.
Affected Products
- fast-jwt versions prior to 6.2.4
- Node.js applications using fast-jwt with an async key resolver
- Services implementing JWKS-style fallbacks such as keys[decoded.header.kid] || ''
Discovery Timeline
- 2026-05-13 - CVE-2026-44351 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44351
Vulnerability Analysis
The vulnerability resides in fast-jwt's async key-resolver flow. When the resolver returns an empty string, the library converts it to a zero-length Buffer and passes it to crypto.createSecretKey. The library then derives allowedAlgorithms = ['HS256','HS384','HS512'] from the empty secret and proceeds to verify the token signature using HMAC with that empty key.
Node.js does not reject empty-key HMAC operations. An attacker who computes HMAC-SHA256(key='', input='${header}.${payload}') produces a signature that the verifier accepts. The library then returns the attacker-controlled payload to the application as authenticated identity data.
This impacts confidentiality and integrity directly. Applications relying on JWT claims for authorization will grant any privilege the attacker chooses to encode.
Root Cause
The root cause is missing validation of the secret key length and missing constraint of allowedAlgorithms when the resolver returns a falsy or empty value. The common pattern keys[decoded.header.kid] || '' — used to look up signing keys by JWKS key ID — triggers the bypass whenever an attacker supplies an unknown kid in the JWT header. The fallback empty string flows through key construction without any sanity check.
Attack Vector
The attack requires only network access to the JWT-accepting endpoint. An attacker performs the following steps:
- Construct a JWT header specifying alg: HS256 and an unknown kid.
- Construct an arbitrary payload with desired claims such as sub, admin, or scopes.
- Compute the HMAC-SHA256 of base64url(header).base64url(payload) using an empty string as the key.
- Submit the resulting token to the target application.
The key resolver returns '' for the unknown kid, fast-jwt validates the empty-key HMAC signature successfully, and the application treats the forged payload as authentic. See the GitHub Security Advisory GHSA-gmvf-9v4p-v8jc for additional technical details.
Detection Methods for CVE-2026-44351
Indicators of Compromise
- JWTs presented to the application containing a kid header value that does not correspond to any configured signing key.
- Successful authentication events tied to JWTs whose signatures verify against an empty secret.
- Authentication logs showing privilege-elevated sessions without a corresponding password or MFA event.
- Inbound requests with JWTs using alg: HS256 when the application expects asymmetric algorithms such as RS256 or ES256.
Detection Strategies
- Inventory all Node.js services that depend on fast-jwt and compare installed versions against the fixed release 6.2.4.
- Add server-side logging that records the kid and alg of every received JWT, then alert on unknown kid values.
- Implement runtime checks that reject any decoded secret with zero length before signature verification.
- Review application code for the pattern keys[decoded.header.kid] || '' or equivalent fallbacks returning empty strings, null, or undefined.
Monitoring Recommendations
- Forward authentication and API gateway logs to a centralized analytics platform and correlate JWT verification events with downstream privilege use.
- Alert on first-seen kid values across production traffic to catch enumeration attempts.
- Monitor for sudden increases in administrative actions or scope-elevated API calls from previously unseen sessions.
How to Mitigate CVE-2026-44351
Immediate Actions Required
- Upgrade fast-jwt to version 6.2.4 or later across all Node.js services.
- Audit key resolver functions to ensure they throw or return an error when no key matches the requested kid, rather than returning an empty string.
- Pin the accepted algorithms explicitly using the allowedAlgorithms option and exclude HMAC algorithms when verifying tokens signed with asymmetric keys.
- Rotate any signing keys and invalidate active sessions issued during the exposure window.
Patch Information
The maintainers fixed the issue in fast-jwt version 6.2.4. The patch rejects empty or zero-length secrets during key construction and prevents derivation of HMAC algorithms from an empty buffer. Update via npm install fast-jwt@^6.2.4 or the equivalent command for your package manager. Full advisory details are available in the GitHub Security Advisory GHSA-gmvf-9v4p-v8jc.
Workarounds
- Replace fallback patterns like keys[decoded.header.kid] || '' with explicit error handling that rejects the token when the kid is unknown.
- Configure the verifier with an explicit allowedAlgorithms list matching only the algorithms your issuer uses, such as ['RS256'].
- Add a pre-verification middleware that rejects any JWT whose resolved key buffer has length zero.
# Upgrade fast-jwt to the patched version
npm install fast-jwt@^6.2.4
# Verify installed version
npm ls fast-jwt
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
