The fast-jwt library versions before 6.2.1 have an incorrect comparison issue due to the use of stateful regular expression modifiers (/g and /y) in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options during token verification. These modifiers cause the RegExp to maintain state between calls, leading to failures on every second verification attempt regardless of token validity. This results in valid tokens being improperly rejected about half the time. The vulnerability does not allow acceptance of invalid tokens. The problem is resolved in fast-jwt version 6.2.1.

The impact is limited to availability of authentication services, as about 50% of valid JWT authentication requests may fail intermittently when using affected versions with certain RegExp modifiers. There is no confidentiality or integrity impact since invalid tokens are not accepted. This can cause denial of service for legitimate users relying on fast-jwt for JWT verification under the affected configurations.

Upgrade fast-jwt to version 6.2.1 or later where this issue is fixed. Avoid using stateful RegExp modifiers (/g and /y) in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions if upgrading is not immediately possible. Patch status is not explicitly stated but the fix is available in version 6.2.1.