The fast-jwt library contains a critical flaw that enables JWT algorithm confusion attacks, allowing attackers to bypass signature verification.

The publicKeyPemMatcher regex uses an anchor that is bypassed by leading whitespace in the key string. This regression re-enables a known JWT algorithm confusion vulnerability, allowing an attacker to manipulate token headers and bypass authentication mechanisms.

With a CVSS score of 9.1, this vulnerability poses a severe threat to authentication integrity. An attacker can forge JWT tokens, allowing them to impersonate any user, including administrators, leading to unauthorized access to protected resources and sensitive data.

Immediate Action: Update the fast-jwt library to the latest patched version that specifically addresses this regex anchor flaw.

Proactive Monitoring: Monitor authentication logs for patterns of suspicious JWT usage, such as tokens with unexpected algorithm headers or malformed key structures.

Compensating Controls: Implement strict server-side validation of JWT headers and ensure that only expected signing algorithms are permitted for verification.

Public Exploit Available: false

This vulnerability represents a significant regression in security. It is imperative that all applications relying on fast-jwt for authentication are updated immediately to prevent potential exploitation of the algorithm confusion flaw.