| CVE-2026-44351 |
critical |
9.1 |
9.1 |
|
|
|
16d ago |
fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver |
| CVE-2026-35041 |
unknown |
— |
— |
|
|
|
2mo ago |
fast-jwt has a ReDoS when using RegExp in allowed* leading to CPU exhaustion during token verification |
| CVE-2026-35040 |
unknown |
— |
— |
|
|
|
2mo ago |
fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS) |
| CVE-2026-35042 |
unknown |
— |
— |
|
|
|
2mo ago |
fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation) |
| CVE-2026-35039 |
unknown |
— |
— |
|
|
|
2mo ago |
fast-jwt: Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup) |
| CVE-2026-34950 |
unknown |
— |
— |
|
|
|
2mo ago |
fast-jwt: Incomplete fix for CVE-2023-48223: JWT Algorithm Confusion via Whitespace-Prefixed RSA Public Key |
| CVE-2025-30144 |
unknown |
— |
— |
|
|
|
1y ago |
Fast-JWT Improperly Validates iss Claims |
| CVE-2023-48223 |
unknown |
— |
— |
|
|
|
3y ago |
JWT Algorithm Confusion |