CVE-2026-35039: CWE-345: Insufficient Verification of Data Authenticity in nearform fast-jwt
fast-jwt provides fast JSON Web Token (JWT) implementation. From 0.0.1 to before 6.2.0, setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cause tokens to be mis-identified during the verification process leading to valid tokens returning claims from different valid tokens and users being mis-identified as other users based on the wrong token. Version 6.2.0 contains a patch.
AI Analysis
Technical Summary
The vulnerability in nearform's fast-jwt library arises from improper uniqueness in the cacheKeyBuilder method used for caching JWT verification results. When this method does not create unique keys per token, cache collisions occur, causing the verification process to return claims from an incorrect token. This flaw can lead to users being mis-identified as other users, violating data authenticity and integrity. The issue affects all versions from 0.0.1 up to 6.2.0. The vendor fixed the vulnerability in version 6.2.0.
Potential Impact
Exploitation of this vulnerability can result in users being authenticated with claims from other users' tokens, potentially allowing unauthorized access to sensitive information or actions under another user's identity. The CVSS score of 9.1 reflects a critical impact on confidentiality and integrity with no required privileges or user interaction for exploitation.
Mitigation Recommendations
Upgrade fast-jwt to version 6.2.0 or later, which contains the official patch fixing the cache key uniqueness issue. Until upgrading, avoid using custom cacheKeyBuilder implementations that do not guarantee unique keys per token to prevent cache collisions.
CVE-2026-35039: CWE-345: Insufficient Verification of Data Authenticity in nearform fast-jwt
Description
fast-jwt provides fast JSON Web Token (JWT) implementation. From 0.0.1 to before 6.2.0, setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cause tokens to be mis-identified during the verification process leading to valid tokens returning claims from different valid tokens and users being mis-identified as other users based on the wrong token. Version 6.2.0 contains a patch.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in nearform's fast-jwt library arises from improper uniqueness in the cacheKeyBuilder method used for caching JWT verification results. When this method does not create unique keys per token, cache collisions occur, causing the verification process to return claims from an incorrect token. This flaw can lead to users being mis-identified as other users, violating data authenticity and integrity. The issue affects all versions from 0.0.1 up to 6.2.0. The vendor fixed the vulnerability in version 6.2.0.
Potential Impact
Exploitation of this vulnerability can result in users being authenticated with claims from other users' tokens, potentially allowing unauthorized access to sensitive information or actions under another user's identity. The CVSS score of 9.1 reflects a critical impact on confidentiality and integrity with no required privileges or user interaction for exploitation.
Mitigation Recommendations
Upgrade fast-jwt to version 6.2.0 or later, which contains the official patch fixing the cache key uniqueness issue. Until upgrading, avoid using custom cacheKeyBuilder implementations that do not guarantee unique keys per token to prevent cache collisions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-31T21:06:06.428Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d3ea320a160ebd92c9fd8d
Added to database: 4/6/2026, 5:15:30 PM
Last enriched: 5/14/2026, 2:25:48 AM
Last updated: 5/22/2026, 2:12:47 PM
Views: 54
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.