CVE-2026-35041: fast-jwt has a ReDoS when using RegExp in allowed* leading to CPU exhaustion during token verification
⚠️ IMPORTANT CLARIFICATIONS
Affected Configurations
This vulnerability ONLY affects applications that:
- Use RegExp objects (not strings) in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options
- Configure patterns susceptible to catastrophic backtracking
- Example:
allowedAud: /^(a+)+X$/← VULNERABLE - Example:
allowedAud: "api.company.com"← SAFE
Not Affected
- Applications using string patterns for audience validation (most common)
- Applications using safe RegExp patterns without nested quantifiers
- Default fast-jwt configurations
Assessment Guide
To determine if you’re affected:
- Check ifallowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce use RegExp objects (
/pattern/ornew RegExp()) - If yes, review the pattern for nested quantifiers like
(a+)+,(.*)*, etc. - If no RegExp usage, you are NOT affected
References
- github.com/advisories/GHSA-cjw9-ghj4-fwxf
- github.com/nearform/fast-jwt
- github.com/nearform/fast-jwt/commit/b0be0ca161593836a153d5180ca5358ad9b5de94
- github.com/nearform/fast-jwt/pull/595
- github.com/nearform/fast-jwt/releases/tag/v6.2.1
- github.com/nearform/fast-jwt/security/advisories/GHSA-cjw9-ghj4-fwxf
- nvd.nist.gov/vuln/detail/CVE-2026-35041
Code Behaviors & Features
Detect and mitigate CVE-2026-35041 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →