Security Analysis of JWT Verification Libraries in the Node.js Ecosystem: Spec Violations, Split-Brain Behaviors and ReDoS Findings

his work presents a comprehensive security analysis of widely used JSON Web Token (JWT) verification libraries in the Node.js ecosystem, focusing on specification compliance, semantic consistency, and adversarial resilience. While JWTs have become foundational to modern authentication and authorization architectures—powering API gateways, OAuth flows, microservices, and serverless platforms—the security community often assumes that signature verification alone guarantees correctness. This research challenges that assumption by systematically examining how different implementations interpret, validate, and enforce JWT semantics under both normal and adversarial conditions.

The study evaluates multiple production-grade libraries, including jsonwebtoken, fast-jwt, jose, and the underlying jws dependency layer, using a differential verification methodology. By submitting identical signed tokens across implementations and comparing acceptance or rejection decisions, the research identifies cases of semantic divergence—referred to as split-brain verification behavior—where the same token is considered valid by one library and invalid by another. These discrepancies arise from differences in claim type enforcement, header parsing, NumericDate handling, and RFC 7515 / RFC 7519 interpretation.

Beyond differential testing, the research applies adversarial token crafting techniques to explore malformed payload structures, claim coercion scenarios, base64url anomalies, and type confusion conditions such as string-versus-number NumericDates and array-versus-string issuer claims. The findings demonstrate that permissive claim parsing and inconsistent validation logic can create subtle but operationally significant verification inconsistencies. In distributed systems where multiple services rely on heterogeneous JWT libraries, such inconsistencies may fragment trust boundaries and introduce nondeterministic authorization outcomes.

A significant contribution of this work is the identification and empirical validation of a denial-of-service condition arising from regular expression-based claim validation in fast-jwt. When the allowedAud option is configured with a vulnerable regular expression, attacker-controlled audience claims can trigger catastrophic backtracking in the JavaScript regex engine. Benchmark measurements demonstrate superlinear growth in verification time as input length increases, resulting in multi-second CPU consumption per verification call. Although signature verification precedes claim validation, the vulnerability remains exploitable in authenticated or token-bearing contexts such as internal service meshes and shared-secret deployments. This condition is classified under CWE-1333 (Inefficient Regular Expression) and CWE-400 (Uncontrolled Resource Consumption).

The research also documents asynchronous verification anomalies, callback invocation behaviors, and claim validation edge cases that may produce unexpected side effects in real-world middleware stacks. Importantly, the paper does not focus on configuration mistakes or deprecated vulnerabilities, but rather on implementation-level behaviors that persist in current versions of actively maintained libraries.

All findings are supported by reproducible harnesses, proof-of-concept scripts, measured outputs, and documented disclosure interactions with vendors. The methodology emphasizes transparency and reproducibility, providing complete scripts and execution logs to allow independent validation of results.

The broader implication of this work is that JWT verification should be treated as a security-critical subsystem rather than a commodity utility. Signature correctness does not imply semantic correctness, and specification compliance does not guarantee consistent enforcement across implementations. As distributed architectures increasingly depend on JWTs for identity propagation and policy enforcement, subtle divergences in verification semantics can undermine trust assumptions at architectural boundaries.

This study contributes to the ongoing discourse on cryptographic library assurance by highlighting the need for strict specification enforcement, deterministic claim validation, and resilience against adversarial inputs within token verification logic. It encourages maintainers to adopt secure-by-default behaviors, developers to standardize verification stacks, and security teams to incorporate differential testing and claim fuzzing into their threat modeling processes.

By documenting both the technical findings and the investigative process, this work aims to strengthen the security posture of the Node.js JWT ecosystem and to provide a replicable framework for analyzing token verification libraries across programming environments.