Attackers who obtain the NEXTAUTH_SECRET (or AUTH_SECRET) from Next.js applications using next-auth/Auth.js can mint arbitrary authentication cookies to impersonate any user and maintain persistent access. This is particularly concerning after React2Shell exploitation, where attackers can extract environment variables. The article demonstrates how to create a cookie minting tool using next-auth's own functions, explains the HKDF-based key derivation process, and emphasizes the critical need to rotate NEXTAUTH_SECRET alongside OAuth credentials. Detection strategies include monitoring for duplicate JWT IDs, impossible travel patterns, and sessions without corresponding login events.
Table of contents
Exploitation of React2ShellMandatory Secret RotationThe NEXTAUTH_SECRET is all you needCreating a Next Auth Cookie Minter (Code)Demonstration Video and WalkthroughPersistent Access to the ApplicationDetection OpportunitiesConclusionReferencesAppendixSort: