Critical JWT Vulnerability: Refresh Tokens Never Invalidate, Enabling Session Hijacking

A critical security flaw has been identified in a JWT implementation where refresh tokens are never invalidated after use. This creates a severe token replay vulnerability, allowing a single compromised refresh token to be reused indefinitely to generate new access tokens. The bug effectively grants an attacker permanent access to a user's session, enabling full session hijacking.

The vulnerability is straightforward to exploit. After a user authenticates and receives a refresh token, using that token to obtain a new access token does not invalidate the original refresh token. An attacker who intercepts or steals that token can then use it repeatedly to generate fresh, valid access tokens. This bypasses the intended security model where a refresh token should be single-use or rotated upon consumption.

The security impact is rated as high. This flaw undermines the core security promise of token-based authentication systems, leaving user accounts persistently vulnerable to takeover. It represents a fundamental failure in session management logic that could affect any application or API relying on this flawed JWT library for authentication. Developers and security teams must immediately audit their implementations for this pattern.