CVE-2026-35042: CWE-345: Insufficient Verification of Data Authenticity in nearform fast-jwt
CVE-2026-35042 affects nearform's fast-jwt library version 6. 1. 0 and earlier. The vulnerability arises because the library does not validate the 'crit' (Critical) Header Parameter as required by RFC 7515 §4. 1. 11. Specifically, if a JSON Web Signature (JWS) token contains a 'crit' array listing extensions that fast-jwt does not recognize, the token is accepted instead of being rejected. This behavior violates the mandatory requirement in the RFC and can lead to insufficient verification of data authenticity.
AI Analysis
Technical Summary
The fast-jwt library provides a fast implementation of JSON Web Tokens (JWT). In versions 6.1.0 and earlier, it fails to enforce validation of the 'crit' header parameter as specified in RFC 7515 §4.1.11. The 'crit' header indicates critical extensions that must be understood and processed by the JWT consumer. If the library encounters unknown critical extensions listed in the 'crit' array, it should reject the token. Instead, fast-jwt accepts such tokens, violating the RFC's MUST requirement. This flaw corresponds to CWE-345 (Insufficient Verification of Data Authenticity) and CWE-636 (Not Authorized). The CVSS 3.1 base score is 7.5, indicating a high severity vulnerability with network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, but high integrity impact and no availability impact.
Potential Impact
An attacker could craft a JWT containing unknown critical extensions in the 'crit' header, which fast-jwt would accept without proper validation. This can lead to acceptance of tokens that should have been rejected, potentially allowing unauthorized actions or bypassing integrity checks. The integrity of the system relying on fast-jwt for token validation is compromised. There is no known exploit in the wild as of the published date.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch links are provided. Users should monitor the vendor's advisory for updates and apply any forthcoming patches promptly. Until a fix is available, avoid using fast-jwt versions 6.1.0 and earlier in security-critical environments or implement additional validation of the 'crit' header parameter externally.
CVE-2026-35042: CWE-345: Insufficient Verification of Data Authenticity in nearform fast-jwt
Description
CVE-2026-35042 affects nearform's fast-jwt library version 6. 1. 0 and earlier. The vulnerability arises because the library does not validate the 'crit' (Critical) Header Parameter as required by RFC 7515 §4. 1. 11. Specifically, if a JSON Web Signature (JWS) token contains a 'crit' array listing extensions that fast-jwt does not recognize, the token is accepted instead of being rejected. This behavior violates the mandatory requirement in the RFC and can lead to insufficient verification of data authenticity.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The fast-jwt library provides a fast implementation of JSON Web Tokens (JWT). In versions 6.1.0 and earlier, it fails to enforce validation of the 'crit' header parameter as specified in RFC 7515 §4.1.11. The 'crit' header indicates critical extensions that must be understood and processed by the JWT consumer. If the library encounters unknown critical extensions listed in the 'crit' array, it should reject the token. Instead, fast-jwt accepts such tokens, violating the RFC's MUST requirement. This flaw corresponds to CWE-345 (Insufficient Verification of Data Authenticity) and CWE-636 (Not Authorized). The CVSS 3.1 base score is 7.5, indicating a high severity vulnerability with network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, but high integrity impact and no availability impact.
Potential Impact
An attacker could craft a JWT containing unknown critical extensions in the 'crit' header, which fast-jwt would accept without proper validation. This can lead to acceptance of tokens that should have been rejected, potentially allowing unauthorized actions or bypassing integrity checks. The integrity of the system relying on fast-jwt for token validation is compromised. There is no known exploit in the wild as of the published date.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch links are provided. Users should monitor the vendor's advisory for updates and apply any forthcoming patches promptly. Until a fix is available, avoid using fast-jwt versions 6.1.0 and earlier in security-critical environments or implement additional validation of the 'crit' header parameter externally.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-31T21:06:06.428Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d3ea320a160ebd92c9fd90
Added to database: 4/6/2026, 5:15:30 PM
Last enriched: 4/6/2026, 5:30:39 PM
Last updated: 4/7/2026, 3:06:26 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.