fast-jwt Library JWT Algorithm Confusion Vulnerability

hello@craftedsignal.io — Fri, 03 Apr 2026 12:00:00 +0000

The fast-jwt library, a popular Node.js package for handling JSON Web Tokens (JWTs), contains a vulnerability related to algorithm confusion. An incomplete fix for CVE-2023-48223 (GHSA-c2ff-88x2-x9pg) allows attackers to bypass intended security measures by exploiting leading whitespace in the RSA public key. Specifically, the publicKeyPemMatcher regex in fast-jwt/src/crypto.js does not account for leading whitespace, causing RSA public keys to be misclassified as HMAC secrets. This allows attackers to forge HS256 tokens using the RSA public key, leading to unauthorized access and privilege escalation. The vulnerability affects fast-jwt versions <= 6.1.0. This issue is a direct bypass of the fix for CVE-2023-48223.

Attack Chain

The attacker identifies a server using the vulnerable fast-jwt library for JWT verification.
The attacker retrieves the server’s RSA public key, which is often publicly available.
The attacker adds leading whitespace (e.g., a newline character) to the RSA public key.
The attacker crafts a malicious JWT with the header specifying the HS256 algorithm (alg: 'HS256').
The attacker sets the payload of the JWT to contain desired claims, such as admin: true.
The attacker uses the whitespace-prefixed RSA public key as the HMAC secret to sign the JWT.
The attacker presents the forged HS256 token to the vulnerable server.
The server, due to the algorithm confusion vulnerability, incorrectly verifies the token using the RSA public key as an HMAC secret and grants unauthorized access based on the claims in the forged token.

Impact

Successful exploitation of this vulnerability allows attackers to bypass authentication and authorization controls, potentially gaining administrative privileges or access to sensitive data. This could lead to data breaches, system compromise, and reputational damage. The impact is significant due to the widespread use of the fast-jwt library in various applications. This is a direct bypass of the fix for CVE-2023-48223.

Recommendation

Upgrade to a patched version of the fast-jwt library that addresses this vulnerability. This will require updating the fast-jwt package in your package.json file and redeploying your application.
As an immediate mitigation, sanitize RSA public keys by trimming leading whitespace before using them with the fast-jwt library. This can be done using the .trim() method in JavaScript before passing the key to the createVerifier function.
Deploy the Sigma rule that detects HS256 tokens being verified with RSA keys based on process creation logs to identify potential exploitation attempts.
Implement logging and monitoring for JWT verification processes to detect anomalies and suspicious activity. Specifically, monitor for instances where HS256 is used with keys that appear to be RSA public keys.
Review and update any existing security controls related to JWT handling to ensure they are effective against this type of algorithm confusion attack.

node-tesseract-ocr OS Command Injection Vulnerability

hello@craftedsignal.io — Thu, 26 Mar 2026 12:00:00 +0000

The node-tesseract-ocr npm package, a Node.js wrapper for Tesseract OCR, is vulnerable to OS command injection (CVE-2026-26832) in versions 2.2.1 and earlier. The vulnerability exists within the recognize() function located in src/index.js. The file path parameter, used to specify the image for OCR processing, is directly concatenated into a shell command string without proper sanitization. This unsanitized string is then passed to child_process.exec(), enabling attackers to inject arbitrary commands that are executed by the system. Exploitation can lead to complete system compromise, data exfiltration, or denial of service.

Attack Chain

An attacker crafts a malicious file path containing OS commands.
The attacker passes the malicious file path to the recognize() function within the node-tesseract-ocr package.
The recognize() function concatenates the attacker-controlled file path into a command string.
The command string, now containing injected OS commands, is passed to child_process.exec().
child_process.exec() executes the command string.
The injected OS commands are executed by the system with the privileges of the Node.js process.
The attacker gains arbitrary code execution on the target system.
The attacker can then perform actions such as installing malware, creating new user accounts, or exfiltrating sensitive data.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the server hosting the Node.js application. This can lead to complete system compromise, potentially impacting all data and services hosted on the compromised server. The severity is heightened because the vulnerability is remotely exploitable and requires no user interaction. Systems using affected versions of node-tesseract-ocr are at high risk.

Recommendation

Upgrade the node-tesseract-ocr package to a patched version that addresses CVE-2026-26832 if available.
Implement strict input validation and sanitization for the file path parameter passed to the recognize() function, mitigating command injection attempts.
Monitor process creation events for unusual processes spawned by Node.js (node.exe or node) to detect potential exploitation using the provided Sigma rule.
Review and audit all uses of child_process.exec() within Node.js applications to identify and remediate other potential command injection vulnerabilities.

Nodejs — CraftedSignal Threat Feed

fast-jwt Library JWT Algorithm Confusion Vulnerability

Attack Chain

Impact

Recommendation

node-tesseract-ocr OS Command Injection Vulnerability

Attack Chain

Impact

Recommendation