fast-jwt accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)

Description

fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, fast-jwt does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that fast-jwt does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC.

Affected Products

Vendor	Product	Versions
nearform	fast-jwt	<= 6.1.0

References

https://github.com/nearform/fast-jwt/security/advisories/GHSA-hm7r-c7qw-ghp6(x_refsource_CONFIRM)
https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.11(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB2d ago

CVE-2026-35042 | nearform fast-jwt crit Header Extension data authenticity

→ No new info (linked only)

CVSS 3.17.5 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA KEV❌ No

Actively exploited❌ No

CWECWE-345, CWE-636

PublishedApr 3, 2026

Last enriched2d agov2

Community Vote

Version History

Last enriched 2d ago

v2Tier C2d ago

Updated vendor to nearform, changed severity to MEDIUM, and noted that no exploit is available.

severity

via VulDB

v13d ago

Initial creation

fast-jwt accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)

Description

Affected Products

References

Related News (1 articles)

Community Vote

Related CVEs (2)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History