CVE-2026-35041 MEDIUM

CVE-2026-35041: ReDoS in fast-jwt when using RegExp in allowed* leading to CPU exhaustion during token verification

Vendor Nearform
Product fast-jwt
Weakness CWE-1333
Published April 9, 2026
Last update April 9, 2026

CVSS base score

4.2/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction Required
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the supplied RegExp, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification. This vulnerability is fixed in 6.2.1.

Key dates

02Disclosure timeline

April 9, 2026 CVE published
April 9, 2026 Record updated