CVE-2025-48951

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-48951
Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Applications using the Auth0-PHP SDK are affected, as are applications using the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs, because those SDKsrely on the Auth0-PHP SDK versions from 8.0.0-BETA3 until 8.14.0. Version 8.3.1 contains a patch for the issue.
CVSS

No CVSS.

References
Link Resource
https://github.com/auth0/auth0-PHP/commit/04b1f5daa8bdfebc5e740ec5ca0fb2df1648a715
https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492
https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q
https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34
https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r
Configurations

No configuration.

History

04 Jun 2025, 21:15

Type Values Removed Values Added
References
  • {'url': 'https://github.com/auth0/auth0-PHP/commit/52a79480fdb246f59dbc089b81a784ae049bd389', 'source': 'security-advisories@github.com'}
  • () https://github.com/auth0/auth0-PHP/commit/04b1f5daa8bdfebc5e740ec5ca0fb2df1648a715 -
Summary (en) Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.14.0 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Applications using the Auth0-PHP SDK are affected, as are applications using the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs, because those SDKsrely on the Auth0-PHP SDK versions from 8.0.0-BETA3 until 8.14.0. Version 8.14.0 contains a patch for the issue. (en) Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Applications using the Auth0-PHP SDK are affected, as are applications using the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs, because those SDKsrely on the Auth0-PHP SDK versions from 8.0.0-BETA3 until 8.14.0. Version 8.3.1 contains a patch for the issue.

04 Jun 2025, 19:15

Type Values Removed Values Added
References
  • () https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q -
  • () https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34 -
  • () https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r -

04 Jun 2025, 14:54

Type Values Removed Values Added
Summary
  • (es) Auth0-PHP es un SDK de PHP para las API de autenticación y administración de Auth0. Las versiones 8.0.0-BETA3 anteriores a la 8.14.0 contienen una vulnerabilidad debido a la deserialización insegura de los datos de las cookies. Si se explota, dado que los SDK procesan el contenido de las cookies sin autenticación previa, un atacante podría enviar una cookie especialmente diseñada con datos serializados maliciosos. Las aplicaciones que utilizan el SDK de Auth0-PHP se ven afectadas, al igual que las aplicaciones que utilizan los SDK de Auth0/Symfony, Auth0/Laravel-auth0 o Auth0/WordPress, ya que estos SDK dependen de las versiones 8.0.0-BETA3 a 8.14.0 del SDK de Auth0-PHP. La versión 8.14.0 incluye un parche para este problema.

03 Jun 2025, 21:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-06-03 21:15

Updated : 2025-06-04 21:15

NVD link : CVE-2025-48951

Mitre link : CVE-2025-48951

CVE.ORG link : CVE-2025-48951

JSON object : View

Products Affected

No product.

CWE
CWE-502

Deserialization of Untrusted Data