npm2 critical
fast-jwt
6 known vulnerabilities · 2 critical · 1 high
GHSA-3j8v-cgw4-2g6q
fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)
Published Apr 9, 2026
GHSA-cjw9-ghj4-fwxf
fast-jwt has a ReDoS when using RegExp in allowed* leading to CPU exhaustion during token verification
Published Apr 9, 2026
CVE-2026-35042HIGH
Risk: 50.38/100
fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation)
Published Apr 3, 2026
CVE-2026-34950CRITICAL
Risk: 62.39/100
fast-jwt: Incomplete fix for CVE-2023-48223: JWT Algorithm Confusion via Whitespace-Prefixed RSA Public Key
Published Apr 2, 2026
CVE-2026-35039CRITICAL
Risk: 62.39/100
fast-jwt: Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup)
Published Apr 3, 2026
Check your entire dependency tree at onceRun dependency scan →