GHSA-9fwj-9mjf-rhj3: laravel-auth0 SDK Vulnerable to Brute Force Authentication Tags of CookieStore Sessions

1. GitHub Advisory Database
2. GitHub Reviewed
3. GHSA-9fwj-9mjf-rhj3

laravel-auth0 SDK Vulnerable to Brute Force Authentication Tags of CookieStore Sessions

Critical severity GitHub Reviewed Published May 15, 2025 in auth0/laravel-auth0 • Updated May 17, 2025

Package

Affected versions

< 7.17.0

Overview
Session cookies of applications using the laravel-auth0 SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access.

Am I Affected?
You are affected by this vulnerability if you meet the following pre-conditions:

1. Applications using laravel-auth0 SDK with version <=7.16.0
2. laravel-auth0 SDK uses the Auth0-PHP SDK with version 8.0.0-BETA1 or higher and below 8.14.0.
3. Session storage configured with CookieStore.

Fix
Upgrade Auth0/laravel-auth0 to v7.17.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected.

Acknowledgement
Okta would like to thank Félix Charette for discovering this vulnerability.

References

• GHSA-9fwj-9mjf-rhj3
• https://nvd.nist.gov/vuln/detail/CVE-2025-47275
• auth0/laravel-auth0@be2c59a
• https://github.com/auth0/laravel-auth0/releases/tag/7.17.0

Published to the GitHub Advisory Database

May 17, 2025

Last updated

May 17, 2025