Minting Next.js Authentication Cookies
Summary
An attacker who exploits a React2Shell vulnerability (a deserialization flaw allowing arbitrary code execution) in a Next.js application can steal the NEXTAUTH_SECRET environment variable and use it to mint forged authentication cookies, gaining persistent access as any user. The attacker only needs this one secret value to create valid session tokens because next-auth uses HKDF (HMAC-based Key Derivation Function, which derives encryption keys from a master secret) with predictable salt values based on cookie names.
Solution / Mitigation
Ensure all secrets are rotated regularly, including the NEXTAUTH_SECRET or the newer AUTH_SECRET. The source also recommends these detection approaches: log the JWT ID on every session and alert on duplicates from different IP addresses; identify impossible travel by users; monitor for sessions without corresponding login events in auth logs; and watch for off-hours access or unusual user-agent strings.
Classification
Original source: https://embracethered.com/blog/posts/2026/minting-next-auth-nextjs-auth-cookies-react2shell-threat/
First tracked: February 12, 2026 at 02:20 PM
Classified by LLM (prompt v3) · confidence: 95%