CVE-2026-35042: CWE-345: Insufficient Verification of Data Authenticity in nearform fast-jwt
fast-jwt versions 6. 1. 0 and earlier do not validate the 'crit' (Critical) Header Parameter in JSON Web Tokens as required by RFC 7515 §4. 1. 11. This means that if a token contains a 'crit' array listing extensions that fast-jwt does not recognize, the library incorrectly accepts the token instead of rejecting it. This behavior violates the mandatory validation requirement defined in the RFC and can lead to insufficient verification of data authenticity.
AI Analysis
Technical Summary
The vulnerability in nearform's fast-jwt library (versions 6.1.0 and earlier) arises from improper handling of the 'crit' header parameter in JSON Web Signature (JWS) tokens. According to RFC 7515 §4.1.11, if a JWS token includes a 'crit' array specifying critical extensions that the implementation does not understand, the token must be rejected. fast-jwt fails to enforce this requirement, accepting tokens with unrecognized critical extensions. This constitutes insufficient verification of data authenticity (CWE-345) and improper input validation (CWE-636). The CVSS 3.1 base score is 7.5 (high severity) with network attack vector, low attack complexity, no privileges or user interaction required, and impact limited to integrity compromise.
Potential Impact
An attacker could craft a JWS token containing unrecognized critical header extensions that fast-jwt accepts without proper validation. This flaw allows the acceptance of potentially malicious or tampered tokens, violating the integrity guarantees of JWTs. Although confidentiality and availability are not impacted, the integrity of token data can be compromised, potentially leading to unauthorized actions or bypass of security controls relying on token validation.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch links are currently available. Users should monitor the vendor advisory for updates. Until a fix is released, avoid using fast-jwt versions 6.1.0 and earlier in security-critical contexts or implement additional validation of the 'crit' header parameter externally to ensure compliance with RFC 7515 §4.1.11.
CVE-2026-35042: CWE-345: Insufficient Verification of Data Authenticity in nearform fast-jwt
Description
fast-jwt versions 6. 1. 0 and earlier do not validate the 'crit' (Critical) Header Parameter in JSON Web Tokens as required by RFC 7515 §4. 1. 11. This means that if a token contains a 'crit' array listing extensions that fast-jwt does not recognize, the library incorrectly accepts the token instead of rejecting it. This behavior violates the mandatory validation requirement defined in the RFC and can lead to insufficient verification of data authenticity.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in nearform's fast-jwt library (versions 6.1.0 and earlier) arises from improper handling of the 'crit' header parameter in JSON Web Signature (JWS) tokens. According to RFC 7515 §4.1.11, if a JWS token includes a 'crit' array specifying critical extensions that the implementation does not understand, the token must be rejected. fast-jwt fails to enforce this requirement, accepting tokens with unrecognized critical extensions. This constitutes insufficient verification of data authenticity (CWE-345) and improper input validation (CWE-636). The CVSS 3.1 base score is 7.5 (high severity) with network attack vector, low attack complexity, no privileges or user interaction required, and impact limited to integrity compromise.
Potential Impact
An attacker could craft a JWS token containing unrecognized critical header extensions that fast-jwt accepts without proper validation. This flaw allows the acceptance of potentially malicious or tampered tokens, violating the integrity guarantees of JWTs. Although confidentiality and availability are not impacted, the integrity of token data can be compromised, potentially leading to unauthorized actions or bypass of security controls relying on token validation.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch links are currently available. Users should monitor the vendor advisory for updates. Until a fix is released, avoid using fast-jwt versions 6.1.0 and earlier in security-critical contexts or implement additional validation of the 'crit' header parameter externally to ensure compliance with RFC 7515 §4.1.11.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-31T21:06:06.428Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d3ea320a160ebd92c9fd90
Added to database: 4/6/2026, 5:15:30 PM
Last enriched: 4/14/2026, 3:57:45 PM
Last updated: 5/22/2026, 8:34:13 PM
Views: 68
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.