CVE-2026-34950: fast-jwt: Incomplete fix for CVE-2023-48223: JWT Algorithm Confusion via Whitespace-Prefixed RSA Public Key

April 2, 2026 (updated April 7, 2026)

The fix for GHSA-c2ff-88x2-x9pg (CVE-2023-48223) is incomplete. The publicKeyPemMatcher regex in fast-jwt/src/crypto.js uses a ^ anchor that is defeated by any leading whitespace in the key string, re-enabling the exact same JWT algorithm confusion attack that the CVE patched.

References

github.com/advisories/GHSA-c2ff-88x2-x9pg
github.com/advisories/GHSA-mvf2-f6gm-w987
github.com/nearform/fast-jwt
github.com/nearform/fast-jwt/security/advisories/GHSA-mvf2-f6gm-w987
nvd.nist.gov/vuln/detail/CVE-2026-34950

Code Behaviors & Features

Detect and mitigate CVE-2026-34950 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →