Listen to this Post
The vulnerability arises because the `fast-jwt` library allows `RegExp` objects (with flags like `/g` or /y) for claim validation parameters (allowedAud, allowedIss, allowedSub, allowedJti, allowedNonce). In JavaScript, a `RegExp` with the global (/g) or sticky (/y) flag is stateful: each call to `.test()` updates the `lastIndex` property. When `fast-jwt` reuses the same `RegExp` object across multiple verification attempts without resetting lastIndex, the result of `allowed.some(a => a.test(v))` alternates. For a valid token, the first verification passes (or fails depending on initial lastIndex), the next fails, then passes, and so on. This causes 50% of otherwise valid authentication requests to be rejected in an alternating pattern. The issue is not about accepting invalid tokens; it’s about intermittent rejection of valid ones. Affected configurations use a `RegExp` literal or `new RegExp()` with `/g` or `/y` in any of the `allowed` options. Safe configurations use string patterns or `RegExp` without stateful flags. The root cause is in `src/verifier.js` where `validateClaimValues()` calls `.test()` without resetting lastIndex. A minimal fix is to wrap the regex matcher to reset `lastIndex` before each test.
dailycve form:
Platform: Node.js
Version: fast-jwt <=6.1.0
Vulnerability: Auth flapping
Severity: Medium
date: 2026-04-09
Prediction: Patch within 30d
What Undercode Say:
Check for stateful regex in your config grep -E "allowed(Aud|Iss|Sub|Jti|Nonce):\s\/.[bash]\/" server.js
// PoC snippet – run in Node.js
const { createVerifier } = require('fast-jwt');
const verify = createVerifier({ key: 'secret', allowedAud: /^admin$/g });
for (let i=0;i<5;i++) {
try { verify(validToken); console.log(i,'PASS'); }
catch(e) { console.log(i,'FAIL'); }
}
Exploit:
An attacker cannot force acceptance of bad tokens. However, by triggering repeated verification calls (e.g., sending the same valid JWT in a loop), the attacker can cause 50% failure rate, leading to retry storms and denial-of-service in authentication middleware.
Protection from this CVE:
- Remove `/g` or `/y` flags from all `RegExp` used in `allowed` options.
- Replace `RegExp` objects with plain strings (e.g.,
allowedAud: "admin"). - Apply library patch when available: wrap matcher with
{ test: v => { r.lastIndex=0; return r.test(v); } }.
Impact:
Intermittent authentication failures; 50% of valid requests rejected alternately; triggers retry storms, operational alerts, and cascading failures in API gateways. No invalid tokens are accepted, but availability is degraded.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

