CVE-2026-35042
CVE-2026-35042
7.5
HighPublished:
Last updated:
Source:security-advisories@github.com
Analyzed
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- None
- Integrity
- High
- Availability
- None
Description
fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, fast-jwt does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that fast-jwt does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC.
References
security-advisories@github.com
https://github.com/nearform/fast-jwt/security/advisories/GHSA-hm7r-c7qw-ghp6security-advisories@github.com
https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.11134c704f-9b21-4f2e-91b3-4a467353bcc0
https://github.com/nearform/fast-jwt/security/advisories/GHSA-hm7r-c7qw-ghp6