CVE-2026-35041
Received Received - Intake
Regex-Based DoS in fast-jwt via allowedAud Verification

Publication date: 2026-04-09

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the supplied RegExp, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification. This vulnerability is fixed in 6.2.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35041
EUVD
EUVD-2026-20899
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nearform fast-jwt From 5.0.0 (inc) to 6.2.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can cause significant CPU exhaustion during JWT verification, leading to denial-of-service (DoS) conditions.

  • Blocking of Node.js event loop threads, which can halt processing of other requests.
  • Degradation of API throughput and cascading failures in authentication middleware or service-to-service communication.
  • Increased serverless infrastructure costs due to prolonged CPU usage.
  • Saturation of authentication infrastructure, potentially causing outages or degraded service availability.

Exploitation requires possession of a valid signed JWT and control over the aud claim, making it an authenticated denial-of-service vulnerability.

Compliance Impact

The CVE-2026-35041 vulnerability is a Regular Expression Denial of Service (ReDoS) issue that affects availability by causing significant CPU consumption during JWT verification when unsafe regular expressions are used. It does not impact confidentiality or integrity of data.

Because this vulnerability leads to denial-of-service conditions by exhausting CPU resources and blocking event loop threads, it can degrade the availability of authentication services and APIs.

While the vulnerability does not directly expose personal data or compromise data integrity, the resulting service outages or degraded performance could indirectly affect compliance with standards like GDPR or HIPAA, which require maintaining availability and reliability of systems processing sensitive data.

Mitigations such as avoiding unsafe regex patterns and enforcing claim length limits help maintain service availability, which is a key aspect of compliance with these regulations.

Executive Summary

CVE-2026-35041 is a Regular Expression Denial of Service (ReDoS) vulnerability in the fast-jwt library versions 5.0.0 through 6.2.0. It occurs when the library's allowedAud verification option is configured using a regular expression containing nested quantifiers that cause catastrophic backtracking in the JavaScript regex engine.

Because the aud claim in a JWT is attacker-controlled, an attacker can craft a malicious JWT with a specially designed aud claim that triggers excessive CPU consumption during token verification. This leads to a denial-of-service condition by blocking the Node.js event loop and degrading system performance.

The vulnerability is fixed in version 6.2.1 by detecting and preventing unsafe regular expressions in the allowed options, warning developers, and rejecting unsafe patterns during verifier creation.

Detection Guidance

Detection of this vulnerability involves identifying unsafe regular expressions used in the allowed claim validation options (such as allowedAud) of the fast-jwt library. The vulnerability arises from regex patterns with nested quantifiers that cause catastrophic backtracking.

The fixed fast-jwt library (version 6.2.1 and later) integrates the safe-regex2 library to analyze and detect unsafe regular expressions during verifier creation. It emits process warnings with code FAST_JWT_UNSAFE_REGEXP when unsafe regex patterns are detected.

To detect unsafe regex patterns in your environment, you can:

  • Review your JWT verifier configuration for allowed* options (allowedAud, allowedIss, allowedSub, allowedJti, allowedNonce) that use RegExp objects.
  • Check for regex patterns with nested quantifiers such as /(a+)+X$/, /(a*)+b/, or /(\w+)+@/ which are known to cause ReDoS.
  • Upgrade to fast-jwt version 6.2.1 or later to benefit from built-in detection and warnings.

While no specific network commands are provided, monitoring CPU usage spikes during JWT verification and logging process warnings emitted by fast-jwt can help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade the fast-jwt library to version 6.2.1 or later, which contains fixes that prevent unsafe regular expressions from being used in claim validation options.
  • Avoid configuring allowed claim validation options (allowedAud, allowedIss, allowedSub, allowedJti, allowedNonce) with RegExp patterns containing nested quantifiers or other unsafe constructs.
  • Enforce maximum claim length limits and restrict regex complexity to reduce the risk of catastrophic backtracking.
  • Monitor for process warnings with code FAST_JWT_UNSAFE_REGEXP emitted by the library to identify unsafe regex usage.

These steps help prevent denial-of-service conditions caused by maliciously crafted JWTs exploiting the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35041. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart