fast-jwt has an incomplete fix for CVE-2023-48223: JWT Algorithm Confusion via Whitespace-Prefixed RSA Public Key

Description

fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, the publicKeyPemMatcher regex in fast-jwt/src/crypto.js uses a ^ anchor that is defeated by any leading whitespace in the key string, re-enabling the exact same JWT algorithm confusion attack that CVE-2023-48223 patched.

Affected Products

Vendor	Product	Versions
nearform	fast-jwt	<= 6.1.0

References

https://github.com/nearform/fast-jwt/security/advisories/GHSA-mvf2-f6gm-w987(x_refsource_CONFIRM)

Related News (1 articles)

Tier C

VulDB5h ago

CVE-2026-34950 | nearform fast-jwt up to 6.1.0 JSON Web Token fast-jwt/src/crypto.js risky encryption (GHSA-mvf2-f6gm-w987)

→ No new info (linked only)

CVSS 3.19.1 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA KEV❌ No

Actively exploited❌ No

CWECWE-327

PublishedApr 2, 2026

Last enriched4h agov2

Community Vote

Version History

Last enriched 4h ago

v2Tier C4h ago

Updated description with new details about the vulnerability and corrected exploit availability.

description

via VulDB

v14d ago

Initial creation

fast-jwt has an incomplete fix for CVE-2023-48223: JWT Algorithm Confusion via Whitespace-Prefixed RSA Public Key

Description

Affected Products

References

Related News (1 articles)

Community Vote

Related CVEs (2)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History