fast-jwt
Ecosystem:
npm
npm
Package URL:
pkg:npm/fast-jwt
Total PRs:
52 Dependabot PRs
52 Dependabot PRs
Latest PR:
about 1 month ago
about 1 month ago
Unique Repositories:
43 repositories
43 repositories
Unique Repos (30 days):
3 repositories
3 repositories
Security Advisories
fast-jwt has a ReDoS when using RegExp in allowed* leading to CPU exhaustion during token verification
GHSA-cjw9-ghj4-fwxf
CVE-2026-35041
MODERATE
published 2 months ago
• updated about 1 month ago
## ⚠️ IMPORTANT CLARIFICATIONS
### Affected Configurations
This vulnerability ONLY affects applications that:
- Use RegExp objects (not stri...
JWT Algorithm Confusion
GHSA-c2ff-88x2-x9pg
CVE-2023-48223
MODERATE
published over 2 years ago
• updated about 2 months ago
### Summary
The fast-jwt library does not properly prevent JWT algorithm confusion for all public key types.
### Details
The 'publicKeyPemMatcher'...
fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation)
GHSA-hm7r-c7qw-ghp6
CVE-2026-35042
HIGH
published 3 months ago
• updated 6 days ago
## Summary
`fast-jwt` does not validate the `crit` (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a `crit` arr...
fast-jwt: Incomplete fix for CVE-2023-48223: JWT Algorithm Confusion via Whitespace-Prefixed RSA Public Key
GHSA-mvf2-f6gm-w987
CVE-2026-34950
CRITICAL
published 3 months ago
• updated 6 days ago
### Summary
The fix for GHSA-c2ff-88x2-x9pg (CVE-2023-48223) is incomplete. The publicKeyPemMatcher regex in fast-jwt/src/crypto.js uses a ^ ancho...
fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)
GHSA-3j8v-cgw4-2g6q
CVE-2026-35040
MODERATE
published 2 months ago
• updated 23 days ago
## Impact
Using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify funct...
Recent PRs (filtered by: Patch PRs )
chore(deps): bump fast-jwt from 6.2.2 to 6.2.4
arediss/Oscarr #183
6.2.2 → 6.2.4
Patch PR
Closed
about 1 month ago
1 comment
Bump fast-jwt from 6.2.2 to 6.2.4
Unwrenchable/effective-engine #30
6.2.2 → 6.2.4
Patch PR
Open
about 1 month ago
1 comment
build(deps): bump fast-jwt from 6.2.2 to 6.2.4 in /backend in the npm_and_yarn group across 1 directory
6.2.2 → 6.2.4
Patch PR
Closed
about 1 month ago
1 comment
npm(deps): bump fast-jwt from 3.3.1 to 3.3.3
phazonoverload/boardgame-stats #1
3.3.1 → 3.3.3
Patch PR
Open
12 months ago
1 comment
build(deps): bump the npm_and_yarn group across 1 directory with 7 updates
5.0.5 → 5.0.6
Patch PR
Open
12 months ago
Bump fast-jwt from 5.0.2 to 5.0.6
sodazone/ocelloids-services #144
5.0.2 → 5.0.6
Patch PR
Open
about 1 year ago
build(deps): bump fast-jwt from 6.0.1 to 6.0.2 in /server
qoomon/actions--access-token #486
6.0.1 → 6.0.2
Patch PR
Merged
about 1 year ago
chore(deps): bump fast-jwt from 5.0.5 to 5.0.6
5.0.5 → 5.0.6
Patch PR
Closed
over 1 year ago
2 comments
Package Details
| Name: | fast-jwt |
| Ecosystem: | npm |
| PURL Type: | npm |
| Package URL: | pkg:npm/fast-jwt |
| JSON API: | View JSON |
Security Advisories
Package Information
Description:
Fast JSON Web Token implementation
| Repository: | https://github.com/nearform/fast-jwt |
| Homepage: | https://github.com/nearform/fast-jwt |
| Latest Release: |
6.0.0
over 1 year ago |
| Dependent Repos: | 1,526 |
| Dependent Packages: | 64 |
| Downloads: | 1,313,881 |
| Ranking: | Top 0.5175% by dependent repos Top 0.3016% by downloads Top 0.4985% by dependent pkgs |