CVE-2026-35042
Published: 06 April 2026
Summary
CVE-2026-35042 is a high-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Nearform Fast-Jwt. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly mitigates CVE-2026-35042 by updating the vulnerable fast-jwt library to properly reject JWS tokens with unrecognized crit headers per RFC 7515.
Vulnerability monitoring and scanning identifies the fast-jwt library vulnerability (CVE-2026-35042) in deployed systems for timely remediation.
Security function verification ensures the JWT validation mechanism correctly rejects tokens with unknown critical headers, addressing the library's validation failure.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote unauthenticated attackers to craft JWS tokens with invalid 'crit' headers that are incorrectly accepted, directly enabling exploitation of public-facing applications using the library (T1190) and facilitating forging of web credentials such as JWT tokens to bypass validation (T1606).
NVD Description
fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, fast-jwt does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that fast-jwt does not…
more
understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC.
Deeper analysisAI
CVE-2026-35042 is a vulnerability in the fast-jwt library, a fast JSON Web Token (JWT) implementation for Node.js, affecting versions 6.1.0 and earlier. The issue stems from improper validation of the "crit" (Critical) Header Parameter as specified in RFC 7515 §4.1.11. When a JWS token includes a "crit" array listing extensions that fast-jwt does not recognize, the library accepts the token instead of rejecting it, violating the RFC's MUST requirement to reject such tokens. This flaw is classified under CWE-345 (Insufficient Verification of Data Authenticity) and CWE-636 (Not Failing Securely ("Failing Open")), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
Remote attackers require no privileges or user interaction and can exploit this over the network with low attack complexity. By crafting a JWS token with a "crit" header listing unrecognized extensions, an attacker can cause fast-jwt to accept the token despite the security violation, potentially enabling integrity compromises such as bypassing intended JWT validation controls in applications relying on the library.
The primary GitHub security advisory at https://github.com/nearform/fast-jwt/security/advisories/GHSA-hm7r-c7qw-ghp6 details the issue and mitigation steps. Additional technical reference is provided in RFC 7515 §4.1.11 at https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.11.
Details
- CWE(s)