+ "details": "## Impact\n\nUsing certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt regardless of the validity of the token provided.\n\nSuch modifiers are:\n- /g : Global matching\n- /y : Sticky matching\n\nThis does NOT allow invalid tokens to be accepted, only for valid tokens to be improperly rejected in some configurations. Instead it causes **50% of valid authentication requests to fail** in an alternating pattern, leading to:\n - Intermittent user authentication failures\n - Potential retry storms in applications\n - Operational monitoring alerts\n\n## Affected Configurations\n\n### This vulnerability ONLY affects applications that:\n\n- Use RegExp objects (not strings) in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options\n- Use stateful RegExp modifiers such a /g or /y\n\nExample: allowedAud: /abc/g ← IMPACTED\nExample: allowedAud: \"/abc/\" ← SAFE\n\n### Not Affected\n\n- Applications using string patterns for audience validation (most common)\n- Applications using RegExp patterns without stateful modifiers\n\n### Assessment Guide\nTo determine if you're affected:\n\nCheck if allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options use RegExp objects (/pattern/ or new RegExp())\nIf yes, review the pattern for stateful modifiers like /g, /y\nIf no RegExp usage or no stateful modifiers, you are NOT affected\n\n## Mitigation Options\nWhile a fix will be coming in the next version of the package you can take steps to mitigate the issue immediately by removing any such modifiers (/g, /y) from the regex.\n\n---\n\nSummary\n\nfast-jwt accepts RegExp for allowedAud, allowedIss, allowedSub, allowedJti, and allowedNonce.\n\nIf the provided regular expression uses the g (global) or y (sticky) flag, verification becomes non-deterministic: the same valid token alternates between acceptance and rejection across successive calls.\n\nThis occurs because RegExp.prototype.test() is stateful when g/y is set (it mutates lastIndex), and fast-jwt reuses the same RegExp object without resetting lastIndex.\n\n\nAffected component\n\nsrc/verifier.js\n\nensureStringClaimMatcher() returns the RegExp object directly.\n\nvalidateClaimValues() performs repeated a.test(v) calls without resetting lastIndex.\n\n\nImpact\n\nLogical denial-of-service / authentication flapping.\n\nA valid signed JWT can be intermittently rejected.\n\nCauses unpredictable authentication outcomes across repeated verification calls.\n\nCan trigger retry storms and cascading failures in API gateways and authentication middleware.\n\nAffects any deployment that configures allowed* using RegExp and includes g or y flags.\n\n\nRoot cause\n\nvalidateClaimValues() uses: allowed.some(a => a.test(v))\n\n\nWhen `a` is a RegExp with g or y, `a.test()` mutates `a.lastIndex`.\n\nSubsequent calls against the same input can return different results.\n\n\nProof of concept\n\nEnvironment\n\n- fast-jwt: 6.1.0 (repo HEAD)\n- Node.js: v24.13.1\n\nPoC\nconst { createSigner, createVerifier } = require('fast-jwt')\n\nconst sign = createSigner({ key: 'secret' })\nconst token = sign({ aud: 'admin', iss: 'issuer' })\n\nfunction run(name, opts) {\nconst verify = createVerifier({ key: 'secret', ...opts })\nconsole.log('\\n==', name)\nfor (let i = 0; i < 8; i++) {\ntry { verify(token); console.log(i, 'PASS') }\ncatch (e) { console.log(i, 'FAIL', e.code || e.message) }\n}\n}\n\nrun('allowedAud global regex', { allowedAud: /^admin$/g })\nrun('allowedIss global regex', { allowedIss: /^issuer$/g })\nrun('control (non-global regex)', { allowedAud: /^admin$/ })\n\n\n\nObserved behavior\n\n- allowedAud with `/g` alternates PASS/FAIL across calls\n- allowedIss with `/g` alternates PASS/FAIL across calls\n- control regex (no g/y) is deterministic and always PASS\n\n\nExpected behavior\n\nValidation must be deterministic.\n\nThe same token under the same verifier configuration must always yield the same decision.\n\n\nSuggested fix (minimal and safe)\n\nWrap RegExp matchers inside ensureStringClaimMatcher() to reset lastIndex before calling test():\nif (r instanceof RegExp) {\nreturn { test: v => { r.lastIndex = 0; return r.test(v) } }\n}\n\n\nThis preserves semantics for non-global regexes, makes g/y deterministic, and avoids changes in the rest of the verifier logic.\n\n\nSecurity classification\n\nLogical DoS / authentication reliability failure.\n\nThis can be weaponized to produce production outages via retry storms and auth instability.\n\n\nWhy this is not “misuse”\n\n- The library explicitly accepts RegExp for allowed* claim validation.\n- The behavior difference is caused by internal state mutation of RegExp.test().\n- The same token, same verifier config, same runtime yields different outcomes.\n- Security decisions must be deterministic; non-determinism at the verification layer is a correctness flaw.\n- Consumers cannot reliably defend against this unless the library normalizes matcher state.\n\n\nNotes\n\n- Affects allowedAud, allowedIss, allowedSub, allowedJti, allowedNonce equally (shared matcher logic).\n- Independent from the previously reported ReDoS; this is a determinism and correctness failure that can still produce production DoS effects.\n\n\nPoC Code:\n'use strict'\n\n/**\n * PoC: Stateful RegExp flags (g/y) cause non-deterministic allowed-claim validation\n * fast-jwt reuses the same RegExp object; RegExp.test() mutates lastIndex when g/y is set.\n *\n * This script prints a human-readable log AND writes evidence to JSON.\n *\n * Usage:\n * node poc_regex_state_evidence.js\n */\n\nconst fs = require('node:fs')\nconst path = require('node:path')\nconst { createSigner, createVerifier } = require('fast-jwt')\n\nconst OUT_JSON = path.join(process.cwd(), 'evidence-regex-stateful-fastjwt.json')\nconst OUT_LOG = path.join(process.cwd(), 'evidence-regex-stateful-fastjwt.log')\n\n// Make a stable, valid token\nconst sign = createSigner({ key: 'secret' })\nconst token = sign({\n aud: 'admin',\n iss: 'issuer',\n sub: 'subject',\n jti: 'id-123',\n nonce: 'nonce-xyz'\n})\n\nfunction runCase(name, verifierOpts, iterations = 12) {\n const verify = createVerifier({ key: 'secret', ...verifierOpts })\n\n const results = []\n for (let i = 0; i < iterations; i++) {\n try {\n verify(token)\n results.push({ i, ok: true })\n } catch (e) {\n results.push({ i, ok: false, code: e.code || null, message: e.message || String(e) })\n }\n }\n\n return results\n}\n\nfunction summarize(results) {\n const seq = results.map(r => (r.ok ? 'PASS' : 'FAIL')).join(' ')\n const pass = results.filter(r => r.ok).length\n const fail = results.length - pass\n return { pass, fail, seq }\n}\n\nfunction printCase(name, opts, results) {\n const s = summarize(results)\n const lines = []\n lines.push(`== ${name}`)\n lines.push(`opts: ${JSON.stringify(opts)}`)\n lines.push(`PASS=${s.pass} FAIL=${s.fail}`)\n lines.push(`sequence: ${s.seq}`)\n lines.push('')\n return lines.join('\\n')\n}\n\nfunction main() {\n const meta = {\n poc: 'stateful-regexp-allowed-claims',\n package: 'fast-jwt',\n node: process.version,\n timestamp: new Date().toISOString(),\n note: 'RegExp.test is stateful when g/y flags are set; lastIndex mutation causes alternating PASS/FAIL.'\n }\n\n // Cases: g/y should flap, control should be stable\n const cases = [\n {\n name: 'allowedAud with global RegExp /g (expected: flapping)',\n opts: { allowedAud: /^admin$/g }\n },\n {\n name: 'allowedAud with sticky RegExp /y (expected: flapping)',\n opts: { allowedAud: /^admin$/y }\n },\n {\n name: 'allowedIss with global RegExp /g (expected: flapping)',\n opts: { allowedIss: /^issuer$/g }\n },\n {\n name: 'allowedSub with global RegExp /g (expected: flapping)',\n opts: { allowedSub: /^subject$/g }\n },\n {\n name: 'allowedJti with global RegExp /g (expected: flapping)',\n opts: { allowedJti: /^id-123$/g }\n },\n {\n name: 'allowedNonce with global RegExp /g (expected: flapping)',\n opts: { allowedNonce: /^nonce-xyz$/g }\n },\n {\n name: 'CONTROL: allowedAud with non-global RegExp (expected: stable PASS)',\n opts: { allowedAud: /^admin$/ }\n }\n ]\n\n const evidence = {\n meta,\n token: {\n alg: 'HS256 (autodetected by fast-jwt)',\n signed: true,\n jwt: token\n },\n cases: []\n }\n\n let log = ''\n for (const c of cases) {\n const results = runCase(c.name, c.opts, 12)\n const s = summarize(results)\n\n evidence.cases.push({\n name: c.name,\n opts: c.opts,\n iterations: results.length,\n pass: s.pass,\n fail: s.fail,\n sequence: s.seq,\n results\n })\n\n log += printCase(c.name, c.opts, results)\n }\n\n fs.writeFileSync(OUT_JSON, JSON.stringify(evidence, null, 2))\n fs.writeFileSync(OUT_LOG, log)\n\n console.log(log)\n console.log(`[+] Wrote JSON evidence: ${OUT_JSON}`)\n console.log(`[+] Wrote LOG evidence : ${OUT_LOG}`)\n}\n\nmain()\n\n\nOutput:\nPS C:\\Users\\Franciny Rojas\\Desktop\\crypto-research\\fast-jwt> node .\\poc_regex_state_evidence.js\n== allowedAud with global RegExp /g (expected: flapping)\nopts: {\"allowedAud\":{}}\nPASS=6 FAIL=6\nsequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL\n== allowedAud with sticky RegExp /y (expected: flapping)\nopts: {\"allowedAud\":{}}\nPASS=6 FAIL=6\nsequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL\n== allowedIss with global RegExp /g (expected: flapping)\nopts: {\"allowedIss\":{}}\nPASS=6 FAIL=6\nsequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL\n== allowedSub with global RegExp /g (expected: flapping)\nopts: {\"allowedSub\":{}}\nPASS=6 FAIL=6\nsequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL\n== allowedJti with global RegExp /g (expected: flapping)\nopts: {\"allowedJti\":{}}\nPASS=6 FAIL=6\nsequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL\n== allowedNonce with global RegExp /g (expected: flapping)\nopts: {\"allowedNonce\":{}}\nPASS=6 FAIL=6\nsequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL\n== CONTROL: allowedAud with non-global RegExp (expected: stable PASS)\nopts: {\"allowedAud\":{}}\nPASS=12 FAIL=0\nsequence: PASS PASS PASS PASS PASS PASS PASS PASS PASS PASS PASS PASS\n\n[+] Wrote JSON evidence: C:\\Users\\Franciny Rojas\\Desktop\\crypto-research\\fast-jwt\\evidence-regex-stateful-fastjwt.json\n[+] Wrote LOG evidence : C:\\Users\\Franciny Rojas\\Desktop\\crypto-research\\fast-jwt\\evidence-regex-stateful-fastjwt.log\nPS C:\\Users\\Franciny Rojas\\Desktop\\crypto-research\\fast-jwt>",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments