Headline

GHSA-v9m8-9xxp-q492: Auth0-PHP SDK Deserialization of Untrusted Data vulnerability

Overview The Auth0 PHP SDK contains a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data.

Am I Affected? You are affected by this vulnerability if you meet the following preconditions:

Applications using the Auth0-PHP SDK, versions between 8.0.0-BETA3 to 8.3.0.
Applications using the following SDKs that rely on the Auth0-PHP SDK versions between 8.0.0-BETA3 to 8.3.0: a. Auth0/symfony, b. Auth0/laravel-auth0, c. Auth0/wordpress.

Fix Upgrade Auth0/Auth0-PHP to 8.3.1.

Acknowledgement Okta would like to thank Andreas Forsblom for discovering this vulnerability.

27 days ago

ghsa

Open in Source

#vulnerability #git #wordpress #php #auth

GitHub Advisory Database
GitHub Reviewed
CVE-2025-48951

Auth0-PHP SDK Deserialization of Untrusted Data vulnerability

Critical severity GitHub Reviewed Published Jun 3, 2025 in auth0/auth0-PHP • Updated Jun 4, 2025

Package

composer auth0/auth0-php (Composer)

Affected versions

>= 8.0.0-BETA3, < 8.3.1

Overview
The Auth0 PHP SDK contains a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data.

Am I Affected?
You are affected by this vulnerability if you meet the following preconditions:

Applications using the Auth0-PHP SDK, versions between 8.0.0-BETA3 to 8.3.0.
Applications using the following SDKs that rely on the Auth0-PHP SDK versions between 8.0.0-BETA3 to 8.3.0:
a. Auth0/symfony,
b. Auth0/laravel-auth0,
c. Auth0/wordpress.

Fix
Upgrade Auth0/Auth0-PHP to 8.3.1.

Acknowledgement
Okta would like to thank Andreas Forsblom for discovering this vulnerability.

References