Vulnerability DatabaseCVE-2026-35041
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-35041
Published:April 09, 2026
Updated:April 20, 2026
fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the supplied RegExp, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification. This vulnerability is fixed in 6.2.1.
Affected Packages
fast-jwt (NPM):
Affected version(s) >=5.0.0 <6.2.1
Fix Suggestion:
Update to version 6.2.1
Related ResourcesĀ (6)
https://github.com/nearform/fast-jwt/releases/tag/v6.2.1
https://github.com/nearform/fast-jwt/commit/b0be0ca161593836a153d5180ca5358ad9b5de94
https://github.com/nearform/fast-jwt
https://github.com/nearform/fast-jwt/pull/595
https://github.com/nearform/fast-jwt/security/advisories/GHSA-cjw9-ghj4-fwxf
https://nvd.nist.gov/vuln/detail/CVE-2026-35041
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.7
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
PASSIVE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.2
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
Inefficient Regular Expression Complexity
CWE-1333
EPSS
Base Score:
0.04