GHSA-g98g-r7gf-2r25

Suggest an improvement
Source
https://github.com/advisories/GHSA-g98g-r7gf-2r25
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-g98g-r7gf-2r25/GHSA-g98g-r7gf-2r25.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-g98g-r7gf-2r25
Aliases
Related
Published
2025-05-16T17:48:55Z
Modified
2025-05-16T18:43:45.241350Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Forgeable Encrypted Session Cookie in Apps Using Auth0-PHP SDK
Details

Overview Session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access.

Am I Affected? You are affected by this vulnerability if you meet the following pre-conditions: 1. Applications using the Auth0-PHP SDK, or the following SDKs that rely on the Auth0-PHP SDK: a. Auth0/symfony, b. Auth0/laravel-auth0, c. Auth0/wordpress, 2. Session storage configured with CookieStore.

Fix Upgrade Auth0/Auth0-PHP to v8.14.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected.

Acknowledgement Okta would like to thank Félix Charette for discovering this vulnerability.

Database specific 
{
    "nvd_published_at": "2025-05-15T22:15:18Z",
    "cwe_ids": [
        "CWE-287"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-16T17:48:55Z"
}
References

Affected packages

Packagist / auth0/auth0-php

Package

Name
auth0/auth0-php
Purl
pkg:composer/auth0/auth0-php

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.0.0-BETA1
Fixed
8.14.0

Affected versions

8.*

8.0.0-BETA1
8.0.0-BETA2
8.0.0-BETA3
8.0.0
8.0.1
8.0.2
8.0.3
8.0.4
8.0.5
8.0.6
8.1.0
8.2.0
8.2.1
8.3.0
8.3.1
8.3.2
8.3.3
8.3.4
8.3.5
8.3.6
8.3.7
8.3.8
8.4.0
8.5.0
8.6.0
8.7.0
8.7.1
8.8.0
8.9.0
8.9.1
8.9.3
8.10.0
8.11.0
8.11.1
8.12.0
8.13.0