CVE-2026-35042 HIGH

CVE-2026-35042: fast-jwt accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)

Vendor Nearform
Product fast-jwt
Weakness CWE-345
Published April 6, 2026
Last update April 7, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, fast-jwt does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that fast-jwt does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC.

Key dates

02Disclosure timeline

April 6, 2026 CVE published
April 7, 2026 Record updated