CVE-2025-48951 (GCVE-0-2025-48951)
Vulnerability from cvelistv5 – Published: 2025-06-03 20:52 – Updated: 2025-06-04 20:32
VLAI?
Summary
Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Applications using the Auth0-PHP SDK are affected, as are applications using the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs, because those SDKsrely on the Auth0-PHP SDK versions from 8.0.0-BETA3 until 8.14.0. Version 8.3.1 contains a patch for the issue.
Severity ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48951",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-04T13:33:17.352742Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-04T13:33:26.037Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "auth0-PHP",
"vendor": "auth0",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.0.0-BETA3, \u003c 8.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Applications using the Auth0-PHP SDK are affected, as are applications using the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs, because those SDKsrely on the Auth0-PHP SDK versions from 8.0.0-BETA3 until 8.14.0. Version 8.3.1 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-04T20:32:18.609Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492"
},
{
"name": "https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q"
},
{
"name": "https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34"
},
{
"name": "https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r"
},
{
"name": "https://github.com/auth0/auth0-PHP/commit/04b1f5daa8bdfebc5e740ec5ca0fb2df1648a715",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/auth0-PHP/commit/04b1f5daa8bdfebc5e740ec5ca0fb2df1648a715"
}
],
"source": {
"advisory": "GHSA-v9m8-9xxp-q492",
"discovery": "UNKNOWN"
},
"title": "Auth0-PHP SDK Deserialization of Untrusted Data vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48951",
"datePublished": "2025-06-03T20:52:35.064Z",
"dateReserved": "2025-05-28T18:49:07.585Z",
"dateUpdated": "2025-06-04T20:32:18.609Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-48951\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-06-03T21:15:21.840\",\"lastModified\":\"2025-06-04T21:15:40.580\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Applications using the Auth0-PHP SDK are affected, as are applications using the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs, because those SDKsrely on the Auth0-PHP SDK versions from 8.0.0-BETA3 until 8.14.0. Version 8.3.1 contains a patch for the issue.\"},{\"lang\":\"es\",\"value\":\"Auth0-PHP es un SDK de PHP para las API de autenticaci\u00f3n y administraci\u00f3n de Auth0. Las versiones 8.0.0-BETA3 anteriores a la 8.14.0 contienen una vulnerabilidad debido a la deserializaci\u00f3n insegura de los datos de las cookies. Si se explota, dado que los SDK procesan el contenido de las cookies sin autenticaci\u00f3n previa, un atacante podr\u00eda enviar una cookie especialmente dise\u00f1ada con datos serializados maliciosos. Las aplicaciones que utilizan el SDK de Auth0-PHP se ven afectadas, al igual que las aplicaciones que utilizan los SDK de Auth0/Symfony, Auth0/Laravel-auth0 o Auth0/WordPress, ya que estos SDK dependen de las versiones 8.0.0-BETA3 a 8.14.0 del SDK de Auth0-PHP. La versi\u00f3n 8.3.1 incluye un parche para este problema.\\n\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"references\":[{\"url\":\"https://github.com/auth0/auth0-PHP/commit/04b1f5daa8bdfebc5e740ec5ca0fb2df1648a715\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-48951\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-04T13:33:17.352742Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-04T13:33:23.250Z\"}}], \"cna\": {\"title\": \"Auth0-PHP SDK Deserialization of Untrusted Data vulnerability\", \"source\": {\"advisory\": \"GHSA-v9m8-9xxp-q492\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 9.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"auth0\", \"product\": \"auth0-PHP\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 8.0.0-BETA3, \u003c 8.3.1\"}]}], \"references\": [{\"url\": \"https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492\", \"name\": \"https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q\", \"name\": \"https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34\", \"name\": \"https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r\", \"name\": \"https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/auth0/auth0-PHP/commit/04b1f5daa8bdfebc5e740ec5ca0fb2df1648a715\", \"name\": \"https://github.com/auth0/auth0-PHP/commit/04b1f5daa8bdfebc5e740ec5ca0fb2df1648a715\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Applications using the Auth0-PHP SDK are affected, as are applications using the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs, because those SDKsrely on the Auth0-PHP SDK versions from 8.0.0-BETA3 until 8.14.0. Version 8.3.1 contains a patch for the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502: Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-06-04T20:32:18.609Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-48951\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-04T20:32:18.609Z\", \"dateReserved\": \"2025-05-28T18:49:07.585Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-06-03T20:52:35.064Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…