fast-jwt, Non-deterministic Validation Flaw, CVE(NotSpecified) (medium)

Listen to this Post

The vulnerability arises because the `fast-jwt` library allows `RegExp` objects (with flags like `/g` or /y) for claim validation parameters (allowedAud, allowedIss, allowedSub, allowedJti, allowedNonce). In JavaScript, a `RegExp` with the global (/g) or sticky (/y) flag is stateful: each call to `.test()` updates the `lastIndex` property. When `fast-jwt` reuses the same `RegExp` object across multiple verification attempts without resetting lastIndex, the result of `allowed.some(a => a.test(v))` alternates. For a valid token, the first verification passes (or fails depending on initial lastIndex), the next fails, then passes, and so on. This causes 50% of otherwise valid authentication requests to be rejected in an alternating pattern. The issue is not about accepting invalid tokens; it’s about intermittent rejection of valid ones. Affected configurations use a `RegExp` literal or `new RegExp()` with `/g` or `/y` in any of the `allowed` options. Safe configurations use string patterns or `RegExp` without stateful flags. The root cause is in `src/verifier.js` where `validateClaimValues()` calls `.test()` without resetting lastIndex. A minimal fix is to wrap the regex matcher to reset `lastIndex` before each test.

dailycve form:

Platform: Node.js
Version: fast-jwt <=6.1.0
Vulnerability: Auth flapping
Severity: Medium
date: 2026-04-09

Prediction: Patch within 30d

What Undercode Say:

Check for stateful regex in your config
grep -E "allowed(Aud|Iss|Sub|Jti|Nonce):\s\/.[bash]\/" server.js
// PoC snippet – run in Node.js
const { createVerifier } = require('fast-jwt');
const verify = createVerifier({ key: 'secret', allowedAud: /^admin$/g });
for (let i=0;i<5;i++) {
try { verify(validToken); console.log(i,'PASS'); }
catch(e) { console.log(i,'FAIL'); }
}

Exploit:

An attacker cannot force acceptance of bad tokens. However, by triggering repeated verification calls (e.g., sending the same valid JWT in a loop), the attacker can cause 50% failure rate, leading to retry storms and denial-of-service in authentication middleware.

Protection from this CVE:

  • Remove `/g` or `/y` flags from all `RegExp` used in `allowed` options.
  • Replace `RegExp` objects with plain strings (e.g., allowedAud: "admin").
  • Apply library patch when available: wrap matcher with { test: v => { r.lastIndex=0; return r.test(v); } }.

Impact:

Intermittent authentication failures; 50% of valid requests rejected alternately; triggers retry storms, operational alerts, and cascading failures in API gateways. No invalid tokens are accepted, but availability is degraded.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top