Critical JWT Vulnerability: Refresh Tokens Never Invalidate, Enabling Session Hijacking

A critical security flaw has been identified in a JWT implementation where refresh tokens are never invalidated after use. This creates a token replay vulnerability, allowing a single compromised refresh token to be reused indefinitely to generate new access tokens. The bug effectively grants an attacker permanent access to a user's session if the refresh token is ever exposed.

The vulnerability is straightforward to exploit. After a standard authentication that provides a refresh token, an attacker can use that token to obtain a new access token. Crucially, the original refresh token remains fully active and can be used again to generate another valid access token. This cycle can be repeated without limit, as the system fails to mark the used refresh token as invalid or rotate it out. The security impact is rated as high, directly enabling session hijacking.

This flaw undermines a core security principle of token-based authentication, where refresh tokens should be single-use or immediately invalidated upon issuance of a new token pair. Its presence in a production system exposes all user accounts to persistent compromise. The issue demands immediate patching to implement proper token rotation and invalidation logic, as the current state leaves sessions vulnerable to indefinite hijacking from a single point of failure.