CVE-2026-35040

Name of the Vulnerable Software and Affected Versions fast-jwt versions prior to 6.2.1

Description The fast-jwt library is susceptible to an issue where using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options within the verify functions can lead to unintended behavior. Specifically, the /g (global matching) and /y (sticky matching) modifiers are stateful and cause failures in alternating verification attempts, regardless of the token's validity. This does not allow invalid tokens to be accepted, but causes 50% of valid authentication requests to fail. The issue stems from the fact that RegExp.prototype.test() mutates lastIndex when g/y is set, and fast-jwt reuses the same RegExp object without resetting lastIndex. This can lead to intermittent user authentication failures, potential retry storms, and operational monitoring alerts.

Recommendations Update to version 6.2.1 or later to resolve this issue. As a temporary workaround, remove any /g or /y modifiers from the regular expressions used in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options.