CVE-2026-35040: CWE-697: Incorrect Comparison in nearform fast-jwt
fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt regardless of the validity of the token provided. Such modifiers are /g (global matching) and /y (sticky matching). This does NOT allow invalid tokens to be accepted, only for valid tokens to be improperly rejected in some configurations. Instead it causes 50% of valid authentication requests to fail in an alternating pattern. This vulnerability is fixed in 6.2.1.
AI Analysis
Technical Summary
The fast-jwt library versions before 6.2.1 have an incorrect comparison issue due to stateful regular expression modifiers used in allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options during token verification. Specifically, the global (/g) and sticky (/y) RegExp modifiers cause the verification function to fail every second attempt, leading to valid tokens being rejected intermittently. This behavior does not compromise token acceptance of invalid tokens but impacts availability by causing authentication failures. The vulnerability is tracked as CVE-2026-35040 and is classified under CWE-697 (Incorrect Comparison) and CWE-440 (Expected Behavior Violation).
Potential Impact
The vulnerability causes denial of service for valid authentication requests by rejecting about half of them in an alternating pattern. There is no impact on confidentiality or integrity since invalid tokens are not accepted. The CVSS score is 5.3 (medium severity), reflecting the availability impact without privilege or data compromise.
Mitigation Recommendations
Upgrade fast-jwt to version 6.2.1 or later, where this issue is fixed. No other mitigations are indicated or necessary since the vulnerability is resolved in the updated version. Patch status is confirmed by the versioning information in the advisory.
CVE-2026-35040: CWE-697: Incorrect Comparison in nearform fast-jwt
Description
fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt regardless of the validity of the token provided. Such modifiers are /g (global matching) and /y (sticky matching). This does NOT allow invalid tokens to be accepted, only for valid tokens to be improperly rejected in some configurations. Instead it causes 50% of valid authentication requests to fail in an alternating pattern. This vulnerability is fixed in 6.2.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The fast-jwt library versions before 6.2.1 have an incorrect comparison issue due to stateful regular expression modifiers used in allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options during token verification. Specifically, the global (/g) and sticky (/y) RegExp modifiers cause the verification function to fail every second attempt, leading to valid tokens being rejected intermittently. This behavior does not compromise token acceptance of invalid tokens but impacts availability by causing authentication failures. The vulnerability is tracked as CVE-2026-35040 and is classified under CWE-697 (Incorrect Comparison) and CWE-440 (Expected Behavior Violation).
Potential Impact
The vulnerability causes denial of service for valid authentication requests by rejecting about half of them in an alternating pattern. There is no impact on confidentiality or integrity since invalid tokens are not accepted. The CVSS score is 5.3 (medium severity), reflecting the availability impact without privilege or data compromise.
Mitigation Recommendations
Upgrade fast-jwt to version 6.2.1 or later, where this issue is fixed. No other mitigations are indicated or necessary since the vulnerability is resolved in the updated version. Patch status is confirmed by the versioning information in the advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-31T21:06:06.428Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d843791cc7ad14da3fb6ab
Added to database: 4/10/2026, 12:25:29 AM
Last enriched: 4/17/2026, 11:54:00 AM
Last updated: 5/25/2026, 6:03:14 AM
Views: 94
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.