GHSA-G98G-R7GF-2R25

Vulnerability from github – Published: 2025-05-16 17:48 – Updated: 2025-05-22 20:03
VLAI?
Summary
Brute Force Authentication Tags of CookieStore Sessions in Auth0-PHP SDK
Details

Overview Session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access.

Am I Affected? You are affected by this vulnerability if you meet the following pre-conditions: 1. Applications using the Auth0-PHP SDK, or the following SDKs that rely on the Auth0-PHP SDK: a. Auth0/symfony, b. Auth0/laravel-auth0, c. Auth0/wordpress, 2. Session storage configured with CookieStore.

Fix Upgrade Auth0/Auth0-PHP to v8.14.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected.

Acknowledgement Okta would like to thank Félix Charette for discovering this vulnerability.

Severity ?
9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "auth0/auth0-php"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0-BETA1"
            },
            {
              "fixed": "8.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-47275"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-16T17:48:55Z",
    "nvd_published_at": "2025-05-15T22:15:18Z",
    "severity": "CRITICAL"
  },
  "details": "**Overview**\nSession cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access.\n\n**Am I Affected?**\nYou are affected by this vulnerability if you meet the following pre-conditions:\n1. Applications using the Auth0-PHP SDK, or the following SDKs that rely on the Auth0-PHP SDK:\n    a. Auth0/symfony,\n    b. Auth0/laravel-auth0,\n    c. Auth0/wordpress,\n2. Session storage configured with CookieStore.\n\n**Fix**\nUpgrade Auth0/Auth0-PHP to v8.14.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected.\n\n**Acknowledgement**\nOkta would like to thank F\u00e9lix Charette for discovering this vulnerability.",
  "id": "GHSA-g98g-r7gf-2r25",
  "modified": "2025-05-22T20:03:15Z",
  "published": "2025-05-16T17:48:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-g98g-r7gf-2r25"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/laravel-auth0/security/advisories/GHSA-9fwj-9mjf-rhj3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/symfony/security/advisories/GHSA-9wg9-93h9-j8ch"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/wordpress/security/advisories/GHSA-2f4r-34m4-3w8q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47275"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/auth0-PHP/commit/52a79480fdb246f59dbc089b81a784ae049bd389"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/auth0/auth0-PHP"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/auth0-PHP/releases/tag/8.14.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Brute Force Authentication Tags of CookieStore Sessions in Auth0-PHP SDK"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.