CVE-2026-34950

Name of the Vulnerable Software and Affected Versions fast-jwt (affected versions not specified)

Description The fast-jwt library contains an incomplete fix for a JWT algorithm confusion issue. The public key matcher regex in fast-jwt/src/crypto.js uses a leading anchor that can be bypassed by whitespace in the key string, re-enabling the JWT algorithm confusion attack that the original fix (CVE-2023-48223) intended to address. Specifically, the publicKeyPemMatcher regex requires a match at the beginning of the string, but this requirement is defeated by any leading whitespace. This allows an attacker to sign an HS256 token using the public key as the HMAC secret, effectively bypassing authentication. Leading whitespace in PEM key strings is common in real-world deployments, such as those involving PostgreSQL/MySQL text columns, YAML multiline strings, environment variables, and copy-pasted configurations. The vulnerability occurs when the server uses the RS256 algorithm with a public key containing leading whitespace and calls the verify function without explicitly specifying the algorithm. The attacker needs knowledge of the server's RSA public key to exploit this issue.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.