CVE-2025-48951
CRITICALauth0-php 8.0.0-BETA3-8.3.1 - Unauthenticated Deserialization of Untrusted Data via Cookie
Title source: llmDescription
Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Applications using the Auth0-PHP SDK are affected, as are applications using the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs, because those SDKsrely on the Auth0-PHP SDK versions from 8.0.0-BETA3 until 8.14.0. Version 8.3.1 contains a patch for the issue.
References (5)
Core 5
Core References
Vendor Advisory x_refsource_confirm
https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492
Vendor Advisory x_refsource_misc
https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q
Vendor Advisory x_refsource_misc
https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34
Vendor Advisory x_refsource_misc
https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r
Scores
CVSS v4
9.3
EPSS
0.0062
EPSS Percentile
44.9%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-502
Status
published
Products (2)
auth0/auth0-php
8.0.0-BETA3 - 8.3.1Packagist
auth0/auth0-PHP
>= 8.0.0-BETA3, < 8.3.1
Published
Jun 03, 2025
Tracked Since
Feb 18, 2026