CVE-2025-48951

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-48951
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-48951.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-48951
Aliases
Related
Published
2025-06-03T21:15:21Z
Modified
2025-06-05T10:50:24.103736Z
Summary
[none]
Details

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Applications using the Auth0-PHP SDK are affected, as are applications using the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs, because those SDKsrely on the Auth0-PHP SDK versions from 8.0.0-BETA3 until 8.14.0. Version 8.3.1 contains a patch for the issue.

References

Affected packages

Git / github.com/auth0/auth0-php

Affected ranges

Type
GIT
Repo
https://github.com/auth0/auth0-php
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
04b1f5daa8bdfebc5e740ec5ca0fb2df1648a715

Affected versions

0.*

0.6.3
0.6.4
0.6.5
0.6.6

1.*

1.0.0
1.0.1
1.0.10
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9

2.*

2.0.0
2.1.0
2.1.1
2.1.2

3.*

3.0.0
3.0.1
3.1.0
3.2.0
3.2.1
3.3.0
3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6
3.3.7
3.4.0
3.4.1
3.4.2
3.4.3

4.*

4.0.0
4.0.1
4.0.10
4.0.11
4.0.12
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.0.9

5.*

5.0.0
5.0.1
5.0.3
5.0.4
5.0.5
5.0.6
5.1.1
5.2.0
5.3.0
5.3.1
5.3.2
5.4.0
5.5.0
5.5.1
5.6.0
5.7.0

7.*

7.0.0
7.1.0
7.2.0
7.3.0
7.4.0
7.5.0
7.6.0
7.6.1
7.6.2
7.7.0
7.8.0
7.9.0

8.*

8.0.0
8.0.0-BETA1
8.0.0-BETA2
8.0.0-BETA3
8.0.1
8.0.2
8.0.3
8.0.4
8.0.5
8.0.6
8.1.0
8.2.0
8.2.1
8.3.0