fast-jwt Denial-of-Service Vulnerability via Unsafe Regular Expressions in Audience Validation

A denial-of-service vulnerability has been identified in the fast-jwt library, affecting versions 5.0.0 prior to 6.2.0. The issue arises when the audience verification option, allowedAud, is configured with a regular expression that allows for catastrophic backtracking. Since the aud claim is controlled by the attacker, a crafted JSON Web Token (JWT) can exploit this by causing excessive CPU usage during the verification process. This vulnerability is particularly concerning in authenticated contexts, such as API gateways and OAuth token validation pipelines.

Impact

Exploitation of this vulnerability leads to significant CPU exhaustion, causing verification times to increase from milliseconds to several seconds per request. This disruption can block the Node.js event loop, degrade API performance, trigger cascading service failures, and increase costs in serverless environments.

Reproduction

To reproduce this vulnerability, first install the fast-jwt library. Then, configure the JWT verifier to use a regular expression in the allowedAud option that is prone to catastrophic backtracking, such as one with nested quantifiers. After setting this up, send a validly signed JWT that includes an aud claim designed to exploit the regular expression, such as one that causes the regex engine to experience catastrophic backtracking.

Remediation

Users can update to fast-jwt version 6.2.1, which addresses this vulnerability by adding a warning for unsafe regular expressions in the allowed options.