CVE-2026-35039: fast-jwt Cache Collision Vulnerability
Platform
nodejs
Component
fast-jwt
Fixed in
6.1.0
CVE-2026-35039 describes a cache collision vulnerability within the fast-jwt library. Improperly configured cache key builders can lead to tokens being misidentified during verification, potentially resulting in user impersonation, privilege escalation, and cross-tenant data access. This issue affects versions prior to 6.1.0, and is resolved in version 6.1.0.
How to fix
Actualice a la versión 6.1.0 o superior para mitigar el riesgo de confusión de caché. Asegúrese de que el `cacheKeyBuilder` personalizado genere claves de caché únicas para cada token para evitar colisiones y la identificación incorrecta de tokens.
Frequently asked questions
What is CVE-2026-35039?
CVE-2026-35039 is a cache collision vulnerability in the fast-jwt library. It can lead to user impersonation and privilege escalation due to incorrect token verification.
Am I affected by CVE-2026-35039?
You are affected if you are using a version of fast-jwt prior to 6.1.0 and have configured a custom cacheKeyBuilder that does not generate unique keys.
How do I fix CVE-2026-35039?
Upgrade to fast-jwt version 6.1.0 or later. This version includes a fix that prevents cache collisions and ensures proper token verification.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free