AIKIDO-2026-10699
fast-jwt is vulnerable to Authentication Bypass
91
Critical Risk
This Affects:
fast-jwtTL;DR
When verifying HMAC-signed JWTs, prepareKeyOrSecret normalized string keys to buffers and passed symmetric material through without rejecting a zero-length secret. If the application’s key resolver returned an empty string or buffer (for example after a failed JWKS lookup), the library could still treat the material as a valid HMAC key. An attacker who sends a token forged with an HMAC over the signing input using that same empty secret could have the signature compare successfully, bypassing authentication. The update rejects empty symmetric keys up front with an invalid-key error so verification cannot proceed with a missing effective secret.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and your application's key resolver can dynamically return an empty string or buffer for the secret.
Background info
fast-jwt is vulnerable to Authentication Bypass in versions 0.1.0 - 6.2.3.
How to fix this
Upgrade the fast-jwt library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant