An adversary can mint authentication cookies for Next.js (next-auth) applications and maintain persistent access to the application as any user if they got a hold of the NEXTAUTH_SECRET used to encrypt and sign the auth tokens

Embrace the Red's resource offers insights, tutorials, and resources for developers and enthusiasts interested in game development and game design. Readers can learn about game design principles, storytelling techniques, and game development tools. With articles, tutorials, and game reviews, Embrace the Red provides  guidance and expertise for creating immersive and engaging gaming experiences.

Embrace The Red

Attackers who obtain the NEXTAUTH_SECRET (or AUTH_SECRET) from Next.js applications using next-auth/Auth.js can mint arbitrary authentication cookies to impersonate any user and maintain persistent access. This is particularly concerning after React2Shell exploitation, where attackers can extract environment variables. The article demonstrates how to create a cookie minting tool using next-auth's own functions, explains the HKDF-based key derivation process, and emphasizes the critical need to rotate NEXTAUTH_SECRET alongside OAuth credentials. Detection strategies include monitoring for duplicate JWT IDs, impossible travel patterns, and sessions without corresponding login events.

Minting Next.js Authentication Cookies · Embrace The Red

Creating a Next Auth Cookie Minter (Code)