cvedb.io
CVE-2026-35041
MEDIUM · CVSS 4.2
EPSS exploitation probability: 0%
Published 2026-04-09T16:16:27.383 · Last modified 2026-06-17T10:40:00.727

Summary

fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the supplied RegExp, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification. This vulnerability is fixed in 6.2.1.

Affected products

nearform — fast-jwt

Does this affect you?

Add your gear to cvedb and we'll alert you only when nearform ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.