PT-2026-32308 — Packagist Auth0/Symfony

PT-2026-32308 · Packagist · Auth0/Symfony

Publicado

2026-04-03

Atualizado

2026-04-03

CVSS v3.1

8.2

Alta

Vetor

AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Impact

In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies.

Am I Affected?

Consumers are affected if their application meets the following preconditions:

It uses the Auth0 Symfony SDK, versions between 5.0.0 and 5.7.0
Auth0 Symfony SDK using the Auth0-PHP SDK versions between 8.0.0 to 8.18.0.

Resolution

Upgrade Auth0/symfony-auth0 to version 5.8.0 or greater.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-331

Identificadores relacionados

GHSA-GHC5-95C2-VWCV

Produtos afetados

Auth0/Symfony