Critical JWT Vulnerability: Refresh Tokens Never Invalidate, Enabling Session Hijacking

A critical security flaw has been identified in a JWT (JSON Web Token) implementation where refresh tokens are never invalidated after use. This creates a severe token replay vulnerability, allowing a single compromised refresh token to be reused indefinitely to generate new access tokens. The bug effectively grants an attacker permanent access to a user's session if the refresh token is ever exposed.

The vulnerability is straightforward to exploit. After a user authenticates and receives a refresh token, using that token to obtain a new access token does not invalidate the original refresh token. An attacker who has captured the token—whether through a man-in-the-middle attack, client-side compromise, or server-side leak—can replay the same refresh token multiple times to generate fresh, valid access tokens. This bypasses the intended security model where a refresh token should be single-use or rotated upon consumption.

This high-impact bug represents a fundamental failure in session management logic, directly enabling session hijacking. It places all user accounts at risk and undermines the security guarantees of the JWT refresh mechanism. The flaw demands immediate patching by development teams, as it could be exploited to maintain unauthorized access long after an initial token leak, with significant implications for data privacy and system integrity.