CVE-2026-35041
Regex-Based DoS in fast-jwt via allowedAud Verification
Publication date: 2026-04-09
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nearform | fast-jwt | From 5.0.0 (inc) to 6.2.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can cause significant CPU exhaustion during JWT verification, leading to denial-of-service (DoS) conditions.
- Blocking of Node.js event loop threads, which can halt processing of other requests.
- Degradation of API throughput and cascading failures in authentication middleware or service-to-service communication.
- Increased serverless infrastructure costs due to prolonged CPU usage.
- Saturation of authentication infrastructure, potentially causing outages or degraded service availability.
Exploitation requires possession of a valid signed JWT and control over the aud claim, making it an authenticated denial-of-service vulnerability.
Can you explain this vulnerability to me?
CVE-2026-35041 is a Regular Expression Denial of Service (ReDoS) vulnerability in the fast-jwt library versions 5.0.0 through 6.2.0. It occurs when the library's allowedAud verification option is configured using a regular expression containing nested quantifiers that cause catastrophic backtracking in the JavaScript regex engine.
Because the aud claim in a JWT is attacker-controlled, an attacker can craft a malicious JWT with a specially designed aud claim that triggers excessive CPU consumption during token verification. This leads to a denial-of-service condition by blocking the Node.js event loop and degrading system performance.
The vulnerability is fixed in version 6.2.1 by detecting and preventing unsafe regular expressions in the allowed options, warning developers, and rejecting unsafe patterns during verifier creation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying unsafe regular expressions used in the allowed claim validation options (such as allowedAud) of the fast-jwt library. The vulnerability arises from regex patterns with nested quantifiers that cause catastrophic backtracking.
The fixed fast-jwt library (version 6.2.1 and later) integrates the safe-regex2 library to analyze and detect unsafe regular expressions during verifier creation. It emits process warnings with code FAST_JWT_UNSAFE_REGEXP when unsafe regex patterns are detected.
To detect unsafe regex patterns in your environment, you can:
- Review your JWT verifier configuration for allowed* options (allowedAud, allowedIss, allowedSub, allowedJti, allowedNonce) that use RegExp objects.
- Check for regex patterns with nested quantifiers such as /(a+)+X$/, /(a*)+b/, or /(\w+)+@/ which are known to cause ReDoS.
- Upgrade to fast-jwt version 6.2.1 or later to benefit from built-in detection and warnings.
While no specific network commands are provided, monitoring CPU usage spikes during JWT verification and logging process warnings emitted by fast-jwt can help detect exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-35041 vulnerability is a Regular Expression Denial of Service (ReDoS) issue that affects availability by causing significant CPU consumption during JWT verification when unsafe regular expressions are used. It does not impact confidentiality or integrity of data.
Because this vulnerability leads to denial-of-service conditions by exhausting CPU resources and blocking event loop threads, it can degrade the availability of authentication services and APIs.
While the vulnerability does not directly expose personal data or compromise data integrity, the resulting service outages or degraded performance could indirectly affect compliance with standards like GDPR or HIPAA, which require maintaining availability and reliability of systems processing sensitive data.
Mitigations such as avoiding unsafe regex patterns and enforcing claim length limits help maintain service availability, which is a key aspect of compliance with these regulations.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade the fast-jwt library to version 6.2.1 or later, which contains fixes that prevent unsafe regular expressions from being used in claim validation options.
- Avoid configuring allowed claim validation options (allowedAud, allowedIss, allowedSub, allowedJti, allowedNonce) with RegExp patterns containing nested quantifiers or other unsafe constructs.
- Enforce maximum claim length limits and restrict regex complexity to reduce the risk of catastrophic backtracking.
- Monitor for process warnings with code FAST_JWT_UNSAFE_REGEXP emitted by the library to identify unsafe regex usage.
These steps help prevent denial-of-service conditions caused by maliciously crafted JWTs exploiting the vulnerability.