AIKIDO-2026-10698
fast-jwt is vulnerable to Improper Input Validation
35
Low Risk
This Affects:
fast-jwtTL;DR
During verification the decoder splits the JWT into header, payload, and signature segments and decodes the first two with Buffer.from using the base64 alphabet. That path tolerates characters JWT base64url encoding must not contain, such that whitespace, newlines, or padding can be dropped instead of failing closed. A peer that strictly rejects those inputs could disagree with this library about whether a token is well-formed, which weakens predictable signature verification for non-canonical strings. The update requires each segment to match the base64url alphabet before decoding so violators are rejected consistently with RFC expectations.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
fast-jwt is vulnerable to Improper Input Validation in versions 0.1.0 - 6.2.2.
How to fix this
Upgrade the fast-jwt library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant