The fast-jwt library version 6.1.0 and earlier contains a vulnerability where it fails to validate the 'crit' (Critical) Header Parameter as defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that the library doesn't understand, it incorrectly accepts the token instead of rejecting it. This behavior violates the MUST requirement specified in the RFC standard. The vulnerability affects JWT token validation security by allowing potentially malicious tokens with unknown critical extensions to be processed. This could lead to security bypasses in applications relying on proper JWT validation.