CVE-2025-48951

CRITICAL EPSS 45.2%
Published Jun 3, 20251y ago · Modified Jun 17, 20262w ago
9.3 CVSS 4.0
Critical
Find Similar
Published Jun 3, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Applications using the Auth0-PHP SDK are affected, as are applications using the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs, because those SDKsrely on the Auth0-PHP SDK versions from 8.0.0-BETA3 until 8.14.0. Version 8.3.1 contains a patch for the issue.

CVSS Details

Base Score
9.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
45.2% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-502 Deserialization of Untrusted Data Validation

References 5

  • github.com https://github.com/auth0/auth0-PHP/commit/04b1f5daa8bdfebc5e740ec5ca0fb2df1648a715
  • github.com https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492
  • github.com https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q
  • github.com https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34
  • github.com https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.