Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package fast-jwt, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (8)
CVE-2026-34950 — CVSS 9.1 (critical): fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, the publicKeyPemMatcher regex in fast-jwt/src/crypto.js…
CVE-2026-35039 — CVSS 9.1 (critical): fast-jwt provides fast JSON Web Token (JWT) implementation. From 0.0.1 to before 6.2.0, setting up a custom cacheKeyBuilder method which…
CVE-2026-44351 — CVSS 9.1 (critical): fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's…
CVE-2026-35042 — CVSS 7.5 (high): fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, fast-jwt does not validate the crit (Critical) Header…
CVE-2025-30144 — CVSS 6.5 (medium): fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 5.0.6, the fast-jwt library does not properly validate the iss claim…
CVE-2023-48223 — CVSS 5.9 (medium): fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to version 3.3.2, the fast-jwt library does not properly prevent JWT…
CVE-2026-35040 — CVSS 5.3 (medium): fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud…
CVE-2026-35041 — CVSS 4.2 (medium): fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the…