pkg:npm/fast-jwt

All known vulnerabilities

• CRITICAL9.1CVE-2026-44351fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver
  from 0, < 6.2.4
• CRITICAL9.1CVE-2026-35039fast-jwt: Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup)
  >= 0.0.1, < 6.2.0
• CRITICAL9.1CVE-2026-34950fast-jwt: Incomplete fix for CVE-2023-48223: JWT Algorithm Confusion via Whitespace-Prefixed RSA Public Key
  from 0, < 6.2.0
• HIGH7.5fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation)
  from 0, <= 6.1.0
• MEDIUM6.5Fast-JWT Improperly Validates iss Claims
  from 0, < 5.0.6
• MEDIUM5.9JWT Algorithm Confusion
  from 0, < 3.3.2
• MEDIUM5.3fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)
  from 0, < 6.2.1
• MEDIUM4.2fast-jwt has a ReDoS when using RegExp in allowed* leading to CPU exhaustion during token verification
  >= 5.0.0, < 6.2.1