CVE-2026-35042: fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation)

April 3, 2026 (updated April 6, 2026)

fast-jwt does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that fast-jwt does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC.

References

github.com/advisories/GHSA-9ggr-2464-2j32
github.com/advisories/GHSA-hm7r-c7qw-ghp6
github.com/nearform/fast-jwt
github.com/nearform/fast-jwt/security/advisories/GHSA-hm7r-c7qw-ghp6
nvd.nist.gov/vuln/detail/CVE-2026-35042
www.rfc-editor.org/rfc/rfc7515.html

Code Behaviors & Features

Detect and mitigate CVE-2026-35042 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →