In this post, we’ll look how an adversary can mint authentication cookies for Next.js (

) applications to maintain persistent access to the application as any user.

The reason this is important is because of 

, which is a deserialization vulnerability that allows an adversary to run arbitrary code. Much has been discussed about this vulnerability, and you can read up the original details from the finder 

devs

> In this post, we’ll look how an adversary can mint authentication cookies for Next.js (`next-auth/Auth.js`) applications to maintain persistent access to the application as any user.
>
> The reason this is important is because of `React2Shell`, which is a deserialization vulnerability that allows an adversary to run arbitrary code. Much has been discussed about this vulnerability, and you can read up the original details from the finder [here](https://react2shell.com/).
>
> - Exploitation of React2Shell
> - Mandatory Secret Rotation
> - The NEXTAUTH_SECRET is all you need
> - Creating a Next Auth Cookie Minter (Code)
> - Demonstration Video and Walkthrough
> - A Few More Implementation Details
> - Persistent Access to the Application
> - Detection Opportunities
> - Conclusion
> - References
> - Appendix
>
> [**...read more at embracethered.com**](https://embracethered.com/blog/posts/2026/minting-next-auth-nextjs-auth-cookies-react2shell-threat/)