CVE-2026-35041

Name of the Vulnerable Software and Affected Versions: fast-jwt versions 5.0.0 through 6.2.0

Description: fast-jwt is susceptible to a denial-of-service condition when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and evaluated against the supplied RegExp, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, leading to significant CPU consumption during verification. This can impact API gateways, authentication middleware, service-to-service communication, and OAuth / OIDC token validation pipelines. The vulnerability occurs with a validly signed JWT, making it exploitable in authenticated contexts. The issue is due to the library allowing regular expressions in claim validation and the attacker's ability to control the aud claim, resulting in exponential verification time growth as input length increases. This can block Node.js event loop threads, degrade API throughput, cause cascading service failures, increase serverless execution costs, and saturate authentication infrastructure.

Recommendations: For versions 5.0.0 through 6.2.0, avoid using regular expressions in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options. If regular expressions are necessary, ensure they are safe and do not contain nested quantifiers that could lead to catastrophic backtracking.