FKIE_CVE-2025-48951

Vulnerability from fkie_nvd - Published: 2025-06-03 21:15 - Updated: 2025-06-04 21:15
Severity ?
9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H
Summary
Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Applications using the Auth0-PHP SDK are affected, as are applications using the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs, because those SDKsrely on the Auth0-PHP SDK versions from 8.0.0-BETA3 until 8.14.0. Version 8.3.1 contains a patch for the issue.
References
security-advisories@github.comhttps://github.com/auth0/auth0-PHP/commit/04b1f5daa8bdfebc5e740ec5ca0fb2df1648a715
security-advisories@github.comhttps://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492
security-advisories@github.comhttps://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q
security-advisories@github.comhttps://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34
security-advisories@github.comhttps://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Applications using the Auth0-PHP SDK are affected, as are applications using the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs, because those SDKsrely on the Auth0-PHP SDK versions from 8.0.0-BETA3 until 8.14.0. Version 8.3.1 contains a patch for the issue."
    },
    {
      "lang": "es",
      "value": "Auth0-PHP es un SDK de PHP para las API de autenticaci\u00f3n y administraci\u00f3n de Auth0. Las versiones 8.0.0-BETA3 anteriores a la 8.14.0 contienen una vulnerabilidad debido a la deserializaci\u00f3n insegura de los datos de las cookies. Si se explota, dado que los SDK procesan el contenido de las cookies sin autenticaci\u00f3n previa, un atacante podr\u00eda enviar una cookie especialmente dise\u00f1ada con datos serializados maliciosos. Las aplicaciones que utilizan el SDK de Auth0-PHP se ven afectadas, al igual que las aplicaciones que utilizan los SDK de Auth0/Symfony, Auth0/Laravel-auth0 o Auth0/WordPress, ya que estos SDK dependen de las versiones 8.0.0-BETA3 a 8.14.0 del SDK de Auth0-PHP. La versi\u00f3n 8.3.1 incluye un parche para este problema.\n"
    }
  ],
  "id": "CVE-2025-48951",
  "lastModified": "2025-06-04T21:15:40.580",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 9.3,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "HIGH",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "HIGH",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-06-03T21:15:21.840",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/auth0/auth0-PHP/commit/04b1f5daa8bdfebc5e740ec5ca0fb2df1648a715"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.