CVE-2025-47275 (GCVE-0-2025-47275)
Vulnerability from cvelistv5 – Published: 2025-05-15 21:13 – Updated: 2025-05-22 20:03
VLAI?
Summary
Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Starting in version 8.0.0-BETA1 and prior to version 8.14.0, session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. Certain pre-conditions are required to be vulnerable to this issue: Applications using the Auth0-PHP SDK, or the Auth0/symfony, Auth0/laravel-auth0, and Auth0/wordpress SDKs that rely on the Auth0-PHP SDK; and session storage configured with CookieStore. Upgrade Auth0/Auth0-PHP to v8.14.0 to receive a patch. As an additional precautionary measure, rotating cookie encryption keys is recommended. Note that once updated, any previous session cookies will be rejected.
Severity ?
9.1 (Critical)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47275",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-16T13:37:38.336273Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-16T13:37:44.844Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "auth0-PHP",
"vendor": "auth0",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.0.0-BETA1, \u003c 8.14.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Starting in version 8.0.0-BETA1 and prior to version 8.14.0, session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. Certain pre-conditions are required to be vulnerable to this issue: Applications using the Auth0-PHP SDK, or the Auth0/symfony, Auth0/laravel-auth0, and Auth0/wordpress SDKs that rely on the Auth0-PHP SDK; and session storage configured with CookieStore. Upgrade Auth0/Auth0-PHP to v8.14.0 to receive a patch. As an additional precautionary measure, rotating cookie encryption keys is recommended. Note that once updated, any previous session cookies will be rejected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T20:03:34.201Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-g98g-r7gf-2r25",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-g98g-r7gf-2r25"
},
{
"name": "https://github.com/auth0/laravel-auth0/security/advisories/GHSA-9fwj-9mjf-rhj3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/laravel-auth0/security/advisories/GHSA-9fwj-9mjf-rhj3"
},
{
"name": "https://github.com/auth0/symfony/security/advisories/GHSA-9wg9-93h9-j8ch",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/symfony/security/advisories/GHSA-9wg9-93h9-j8ch"
},
{
"name": "https://github.com/auth0/wordpress/security/advisories/GHSA-2f4r-34m4-3w8q",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/wordpress/security/advisories/GHSA-2f4r-34m4-3w8q"
},
{
"name": "https://github.com/auth0/auth0-PHP/commit/52a79480fdb246f59dbc089b81a784ae049bd389",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/auth0-PHP/commit/52a79480fdb246f59dbc089b81a784ae049bd389"
},
{
"name": "https://github.com/auth0/auth0-PHP/releases/tag/8.14.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/auth0-PHP/releases/tag/8.14.0"
}
],
"source": {
"advisory": "GHSA-g98g-r7gf-2r25",
"discovery": "UNKNOWN"
},
"title": "Brute Force Authentication Tags of CookieStore Sessions in Auth0-PHP SDK"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-47275",
"datePublished": "2025-05-15T21:13:01.150Z",
"dateReserved": "2025-05-05T16:53:10.372Z",
"dateUpdated": "2025-05-22T20:03:34.201Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-47275\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-05-15T22:15:18.667\",\"lastModified\":\"2025-05-16T14:42:18.700\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Starting in version 8.0.0-BETA1 and prior to version 8.14.0, session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. Certain pre-conditions are required to be vulnerable to this issue: Applications using the Auth0-PHP SDK, or the Auth0/symfony, Auth0/laravel-auth0, and Auth0/wordpress SDKs that rely on the Auth0-PHP SDK; and session storage configured with CookieStore. Upgrade Auth0/Auth0-PHP to v8.14.0 to receive a patch. As an additional precautionary measure, rotating cookie encryption keys is recommended. Note that once updated, any previous session cookies will be rejected.\"},{\"lang\":\"es\",\"value\":\"Auth0-PHP proporciona el SDK de PHP para las API de autenticaci\u00f3n y administraci\u00f3n de Auth0. A partir de la versi\u00f3n 8.0.0-BETA1 y anteriores a la 8.14.0, las cookies de sesi\u00f3n de las aplicaciones que utilizan el SDK de Auth0-PHP configurado con CookieStore tienen etiquetas de autenticaci\u00f3n susceptibles de ataques de fuerza bruta, lo que puede provocar accesos no autorizados. Se requieren ciertas condiciones para ser vulnerables a este problema: Aplicaciones que utilizan el SDK de Auth0-PHP o los SDK de Auth0/Symfony, Auth0/Laravel-auth0 y Auth0/WordPress que dependen del SDK de Auth0-PHP; y almacenamiento de sesiones configurado con CookieStore. Actualice Auth0/Auth0-PHP a la versi\u00f3n 8.14.0 para recibir una actualizaci\u00f3n. Como medida de precauci\u00f3n adicional, se recomienda rotar las claves de cifrado de cookies. Tenga en cuenta que, una vez actualizada, se rechazar\u00e1n las cookies de sesi\u00f3n anteriores.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"references\":[{\"url\":\"https://github.com/auth0/auth0-PHP/commit/52a79480fdb246f59dbc089b81a784ae049bd389\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/auth0/auth0-PHP/releases/tag/8.14.0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/auth0/auth0-PHP/security/advisories/GHSA-g98g-r7gf-2r25\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/auth0/laravel-auth0/security/advisories/GHSA-9fwj-9mjf-rhj3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/auth0/symfony/security/advisories/GHSA-9wg9-93h9-j8ch\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/auth0/wordpress/security/advisories/GHSA-2f4r-34m4-3w8q\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-47275\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-16T13:37:38.336273Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-16T13:37:42.164Z\"}}], \"cna\": {\"title\": \"Brute Force Authentication Tags of CookieStore Sessions in Auth0-PHP SDK\", \"source\": {\"advisory\": \"GHSA-g98g-r7gf-2r25\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"auth0\", \"product\": \"auth0-PHP\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 8.0.0-BETA1, \u003c 8.14.0\"}]}], \"references\": [{\"url\": \"https://github.com/auth0/auth0-PHP/security/advisories/GHSA-g98g-r7gf-2r25\", \"name\": \"https://github.com/auth0/auth0-PHP/security/advisories/GHSA-g98g-r7gf-2r25\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/auth0/laravel-auth0/security/advisories/GHSA-9fwj-9mjf-rhj3\", \"name\": \"https://github.com/auth0/laravel-auth0/security/advisories/GHSA-9fwj-9mjf-rhj3\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/auth0/symfony/security/advisories/GHSA-9wg9-93h9-j8ch\", \"name\": \"https://github.com/auth0/symfony/security/advisories/GHSA-9wg9-93h9-j8ch\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/auth0/wordpress/security/advisories/GHSA-2f4r-34m4-3w8q\", \"name\": \"https://github.com/auth0/wordpress/security/advisories/GHSA-2f4r-34m4-3w8q\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/auth0/auth0-PHP/commit/52a79480fdb246f59dbc089b81a784ae049bd389\", \"name\": \"https://github.com/auth0/auth0-PHP/commit/52a79480fdb246f59dbc089b81a784ae049bd389\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/auth0/auth0-PHP/releases/tag/8.14.0\", \"name\": \"https://github.com/auth0/auth0-PHP/releases/tag/8.14.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Starting in version 8.0.0-BETA1 and prior to version 8.14.0, session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. Certain pre-conditions are required to be vulnerable to this issue: Applications using the Auth0-PHP SDK, or the Auth0/symfony, Auth0/laravel-auth0, and Auth0/wordpress SDKs that rely on the Auth0-PHP SDK; and session storage configured with CookieStore. Upgrade Auth0/Auth0-PHP to v8.14.0 to receive a patch. As an additional precautionary measure, rotating cookie encryption keys is recommended. Note that once updated, any previous session cookies will be rejected.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287: Improper Authentication\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-05-22T20:03:34.201Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-47275\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-22T20:03:34.201Z\", \"dateReserved\": \"2025-05-05T16:53:10.372Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-05-15T21:13:01.150Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…