CVE-2026-35039: fast-jwt Token Misidentification (CRITICAL)
Plattform
nodejs
Komponente
fast-jwt
Behoben in
6.1.0
CVE-2026-35039 is a critical vulnerability in fast-jwt that can lead to token misidentification due to cache collisions. Setting up a custom `cacheKeyBuilder` method that does not properly create unique keys for different tokens can cause valid tokens to return claims from different valid tokens. This can lead to user impersonation, privilege escalation, and cross-tenant data access. Upgrade to version 6.1.0 to resolve this issue.
So beheben
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Häufig gestellte Fragen
What is CVE-2026-35039?
CVE-2026-35039 is a token misidentification vulnerability in fast-jwt caused by cache collisions.
Am I affected by CVE-2026-35039?
You are affected if you are using a vulnerable version of fast-jwt with a custom `cacheKeyBuilder` that does not properly create unique keys.
How do I fix CVE-2026-35039?
Upgrade to fast-jwt version 6.1.0 or later.
Abhängigkeiten automatisch überwachen
Werde benachrichtigt, wenn neue Schwachstellen deine Projekte betreffen. Für immer kostenlos.
Kostenlos starten