Critical JWT Vulnerability: Refresh Tokens Never Invalidate, Enabling Session Hijacking

A critical security flaw has been identified in a JWT (JSON Web Token) implementation where refresh tokens are never invalidated after use. This creates a severe token replay vulnerability, allowing a single compromised refresh token to be reused indefinitely to generate new access tokens. The bug effectively grants an attacker permanent access to a user's session if the refresh token is ever exposed.

The vulnerability is straightforward to exploit. After a standard authentication that provides a refresh token, an attacker can use that token to obtain a new access token. Crucially, the original refresh token remains fully active and can be used again to generate another valid access token, and so on. This breaks the fundamental security principle that a refresh token should be single-use or invalidated upon consumption to prevent replay attacks.

The security impact is rated as high, as this flaw directly enables session hijacking. In a production environment, this could lead to unauthorized account access, data breaches, and privilege escalation. The vulnerability highlights a critical failure in the token lifecycle management logic, requiring immediate patching to implement proper token rotation and invalidation mechanisms.