What is the severity of CVE-2026-35042?

CVE-2026-35042 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-35042?

No known public exploits are currently available for CVE-2026-35042.

Is there a patch available for CVE-2026-35042?

No official patches have been released yet for CVE-2026-35042. Consider implementing workarounds or mitigations.

CVE-2026-35042 - CVE Details, Severity, and Analysis

Published: April 4, 2026

Last updated:15 hours ago (April 6, 2026)

Updated April 6, 2026

Summary

fast-jwt does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that fast-jwt does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC.

RFC Requirement

RFC 7515 §4.1.11:

If any of the listed extension Header Parameters are not understood and supported by the recipient, then the JWS is invalid.

Proof of Concept

const { createSigner, createVerifier } = require("fast-jwt"); // v3.3.3

const signer = createSigner({ key: "secret", algorithm: "HS256" });
const token = signer({
  sub: "attacker",
  role: "admin",
  header: { crit: ["x-custom-policy"], "x-custom-policy": "require-mfa" },
});

// Should REJECT — x-custom-policy is not understood
const verifier = createVerifier({ key: "secret", algorithms: ["HS256"] });
try {
  const result = verifier(token);
  console.log("ACCEPTED:", result);
  // Output: ACCEPTED: { sub: 'attacker', role: 'admin' }
} catch (e) {
  console.log("REJECTED:", e.message);
}

Expected: Error — unsupported critical extension Actual: Token accepted.

Comparison

// jose (panva) v4+ — correctly rejects
const jose = require("jose");
await jose.jwtVerify(token, new TextEncoder().encode("secret"));
// throws: Extension Header Parameter "x-custom-policy" is not recognized

Impact

Split-brain verification in mixed-library environments
Security policy bypass when crit carries enforcement semantics
Token binding bypass (RFC 7800 cnf confirmation)
See CVE-2025-59420 for full impact analysis

Suggested Fix

In src/verifier.js, add crit validation after header decoding:

const SUPPORTED_CRIT = new Set(["b64"]);

function validateCrit(header) {
  if (!header.crit) return;
  if (!Array.isArray(header.crit) || header.crit.length === 0)
    throw new Error("crit must be a non-empty array");
  for (const ext of header.crit) {
    if (!SUPPORTED_CRIT.has(ext))
      throw new Error(`Unsupported critical extension: ${ext}`);
    if (!(ext in header))
      throw new Error(`Critical extension ${ext} not present in header`);
  }
}

Strobes VI. (2026). CVE-2026-35042 - CVE Details and Analysis. Strobes VI. Retrieved April 6, 2026, from https://vi.strobes.co/cve/CVE-2026-35042

Published: April 4, 2026

Last updated:15 hours ago (April 6, 2026)

Updated April 6, 2026

Summary

RFC Requirement

RFC 7515 §4.1.11:

If any of the listed extension Header Parameters are not understood and supported by the recipient, then the JWS is invalid.

Proof of Concept

const { createSigner, createVerifier } = require("fast-jwt"); // v3.3.3

const signer = createSigner({ key: "secret", algorithm: "HS256" });
const token = signer({
  sub: "attacker",
  role: "admin",
  header: { crit: ["x-custom-policy"], "x-custom-policy": "require-mfa" },
});

// Should REJECT — x-custom-policy is not understood
const verifier = createVerifier({ key: "secret", algorithms: ["HS256"] });
try {
  const result = verifier(token);
  console.log("ACCEPTED:", result);
  // Output: ACCEPTED: { sub: 'attacker', role: 'admin' }
} catch (e) {
  console.log("REJECTED:", e.message);
}

Expected: Error — unsupported critical extension Actual: Token accepted.

Comparison

// jose (panva) v4+ — correctly rejects
const jose = require("jose");
await jose.jwtVerify(token, new TextEncoder().encode("secret"));
// throws: Extension Header Parameter "x-custom-policy" is not recognized

Impact

Split-brain verification in mixed-library environments
Security policy bypass when crit carries enforcement semantics
Token binding bypass (RFC 7800 cnf confirmation)
See CVE-2025-59420 for full impact analysis

Suggested Fix

In src/verifier.js, add crit validation after header decoding:

const SUPPORTED_CRIT = new Set(["b64"]);

function validateCrit(header) {
  if (!header.crit) return;
  if (!Array.isArray(header.crit) || header.crit.length === 0)
    throw new Error("crit must be a non-empty array");
  for (const ext of header.crit) {
    if (!SUPPORTED_CRIT.has(ext))
      throw new Error(`Unsupported critical extension: ${ext}`);
    if (!(ext in header))
      throw new Error(`Critical extension ${ext} not present in header`);
  }
}

Strobes VI. (2026). CVE-2026-35042 - CVE Details and Analysis. Strobes VI. Retrieved April 6, 2026, from https://vi.strobes.co/cve/CVE-2026-35042

CVE-2026-35042

Summary

RFC Requirement

Proof of Concept

Comparison

Impact

Suggested Fix

Ready for Agentic Automated Testing?

CVE-2026-35042

Summary

RFC Requirement

Proof of Concept

Comparison

Impact

Suggested Fix