CVE-2026-35042

HIGH SEVERITY

CVSS Score & Metrics

Base Score

7.5 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N                                    

Vulnerability Description

fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, fast-jwt does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that fast-jwt does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC.

Vulnerability Details

Published Date

April 03, 2026

Last Modified

April 10, 2026

CWE ID

CWE-345

Source

GitHub

Vendor

npm

Product

fast-jwt

External References

https://github.com/nearform/fast-jwt/security/advisories/GHSA-hm7r-c7qw-ghp6
https://github.com/advisories/GHSA-9ggr-2464-2j32
https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.11
https://github.com/advisories/GHSA-hm7r-c7qw-ghp6

CVE-2026-35042

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment