CVE-2026-35041: CVE-2026-35041: Regular Expression Denial of Service in fast-jwt

CVE-2026-35041: Regular Expression Denial of Service in fast-jwt

Vulnerability ID: CVE-2026-35041
CVSS Score: 4.2
Published: 2026-04-09

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the fast-jwt Node.js library. Versions 5.0.0 through 6.2.0 fail to validate the complexity of developer-supplied regular expressions used for JSON Web Token claim validation. This allows attackers possessing a validly signed token to trigger catastrophic backtracking in the JavaScript engine, blocking the Node.js event loop and causing a denial of service.

TL;DR

fast-jwt versions prior to 6.2.1 are vulnerable to ReDoS during token claim validation. An attacker with a validly signed token can supply a maliciously crafted claim to exhaust CPU resources, causing a complete denial of service for the affected Node.js process.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-1333
• Attack Vector: Network
• CVSS v3.1: 4.2 (Medium)
• Impact: Denial of Service (CPU Exhaustion)
• Exploit Status: Proof of Concept
• Vulnerable Component: fast-jwt Verifier Configuration

Affected Systems

• Node.js applications using fast-jwt
• Microservices implementing custom JWT claim validation logic via regex
• fast-jwt: >= 5.0.0, <= 6.2.0 (Fixed in: 6.2.1)

Code Analysis

Commit: b0be0ca

Primary fix integrating safe-regex2 to detect ReDoS patterns and emit process warnings.

Commit: 18d2590

Secondary fix resetting r.lastIndex to 0 to eliminate stateful validation bugs in RegExp objects with /g or /y flags.

Exploit Details

• GitHub Security Advisory: Official advisory documenting the required conditions for the proof of concept.

Mitigation Strategies

• Dependency Upgrade
• Configuration Audit
• Static Analysis
• Runtime Monitoring

Remediation Steps:

1. Update fast-jwt to version 6.2.1 or higher via npm or yarn.
2. Audit the application codebase for calls to createVerifier().
3. Identify all configurations using RegExp objects for allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce.
4. Replace regular expressions with exact string matches or arrays of strings where possible.
5. Monitor application logs for FAST_JWT_UNSAFE_REGEXP warnings to detect unsafe patterns dynamically.

References

• GitHub Security Advisory (GHSA-cjw9-ghj4-fwxf)
• NVD CVE Record for CVE-2026-35041

---

Read the full report for CVE-2026-35041 on our website for more details including interactive diagrams and full exploit analysis.