Deserialization in Auth0 Auth0-php
CVE-2025-48951
Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior…
Vulnerability class: Insecure Deserialization
EPSS: 0.002 (37.1th percentile) — read the EPSS interpretation.
Affected products
- Auth0 Auth0-php — versions >= 8.0.0-BETA3, < 8.3.1
Weakness classification (CWE)
References
- https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492 (x_refsource_CONFIRM)
- https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q (x_refsource_MISC)
- https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34 (x_refsource_MISC)
- https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r (x_refsource_MISC)
- https://github.com/auth0/auth0-PHP/commit/04b1f5daa8bdfebc5e740ec5ca0fb2df1648a715 (x_refsource_MISC)