Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1nOThnLXI3Z2YtMnIyNc4ABH_k

Critical EPSS: 0.00024% (0.04778 Percentile) EPSS:
Permalink JSON

Brute Force Authentication Tags of CookieStore Sessions in Auth0-PHP SDK

Affected Packages Affected Versions Fixed Versions
packagist:auth0/auth0-php >= 8.0.0-BETA1, < 8.14.0 8.14.0
62 Dependent packages
358 Dependent repositories
16,808,006 Downloads total

Affected Version Ranges

All affected versions

8.0.0, 8.0.0-BETA1, 8.0.0-BETA2, 8.0.0-BETA3, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.1.0, 8.2.0, 8.2.1, 8.3.0, 8.3.1, 8.3.2, 8.3.3, 8.3.4, 8.3.5, 8.3.6, 8.3.7, 8.3.8, 8.4.0, 8.5.0, 8.6.0, 8.7.0, 8.7.1, 8.8.0, 8.9.0, 8.9.1, 8.9.3, 8.10.0, 8.11.0, 8.11.1, 8.12.0, 8.13.0

All unaffected versions

0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 3.0.0, 3.0.1, 3.1.0, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.0.11, 4.0.12, 4.0.13, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.1.0, 5.1.1, 5.2.0, 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.5.0, 5.5.1, 5.6.0, 5.7.0, 7.0.0, 7.1.0, 7.2.0, 7.3.0, 7.4.0, 7.5.0, 7.6.0, 7.6.1, 7.6.2, 7.7.0, 7.8.0, 7.9.0, 7.9.1, 7.9.2, 8.14.0, 8.15.0

Overview
Session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access.

Am I Affected?
You are affected by this vulnerability if you meet the following pre-conditions:

  1. Applications using the Auth0-PHP SDK, or the following SDKs that rely on the Auth0-PHP SDK:
    a. Auth0/symfony,
    b. Auth0/laravel-auth0,
    c. Auth0/wordpress,
  2. Session storage configured with CookieStore.

Fix
Upgrade Auth0/Auth0-PHP to v8.14.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected.

Acknowledgement
Okta would like to thank Félix Charette for discovering this vulnerability.

References:

Identifiers

GHSA-g98g-r7gf-2r25

CVE-2025-47275

Risk

Severity

Critical

EPSS

EPSS Percentage: 0.00024

EPSS Percentile: 0.04778

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/auth0/auth0-PHP

Date and time

Published

2 months ago

Updated

2 months ago

API

JSON