fast-jwt
npm8 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting fast-jwtpage 1 of 1
- CVE-2023-48223MEDIUMCVSS 5.9EG 5.9✓ Fixed in 3.3.22023-11-20
fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to version 3.3.2, the fast-jwt library does not properly prevent JWT algorithm confusion for all public key types. The 'publicKeyPemMatcher' in 'fast-jwt/src/crypto.js' does…
- CVE-2025-30144MEDIUMCVSS 6.5EG 6.5✓ Fixed in 5.0.62025-03-19
fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 5.0.6, the fast-jwt library does not properly validate the iss claim based on the RFC 7519. The iss (issuer) claim validation within the fast-jwt library permits an array…
- CVE-2026-34950CRITICALCVSS 9.1EG 9.1✓ Fixed in 6.2.02026-04-06
fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, the publicKeyPemMatcher regex in fast-jwt/src/crypto.js uses a ^ anchor that is defeated by any leading whitespace in the key string, re-enabling the exact s…
- CVE-2026-35039CRITICALCVSS 9.1EG 9.1✓ Fixed in 6.2.02026-04-06
fast-jwt provides fast JSON Web Token (JWT) implementation. From 0.0.1 to before 6.2.0, setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cau…
- CVE-2026-35040MEDIUMCVSS 5.3EG 5.3✓ Fixed in 6.2.12026-04-09
fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unin…
- CVE-2026-35041MEDIUMCVSS 4.2EG 4.2✓ Fixed in 6.2.12026-04-09
fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is at…
- CVE-2026-35042HIGHCVSS 7.5EG 7.52026-04-06
fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, fast-jwt does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that …
- CVE-2026-44351CRITICALCVSS 9.1EG 9.1✓ Fixed in 6.2.42026-05-13
fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to forge arbitrary JWTs that are accepted …
Check whether fast-jwt is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for fast-jwt CVEs against the assets you own.
Start Free Scan →