CVE-2025-47275

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions: Auth0-PHP versions 8.0.0-BETA1 through 8.13.x

Description: The issue affects applications using the Auth0-PHP SDK configured with CookieStore, where session cookies have authentication tags that can be brute forced, potentially resulting in unauthorized access. This issue requires specific pre-conditions to be vulnerable: the use of the Auth0-PHP SDK or related SDKs (Auth0/symfony, Auth0/laravel-auth0, and Auth0/wordpress) that rely on the Auth0-PHP SDK, and session storage configured with CookieStore.

Recommendations: Upgrade Auth0/Auth0-PHP to v8.14.0 to receive a patch. As an additional precautionary measure, rotate cookie encryption keys. Note that once updated, any previous session cookies will be rejected.

Exploit

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

CVE-2025-47275

GHSA-2F4R-34M4-3W8Q

GHSA-9FWJ-9MJF-RHJ3

GHSA-9WG9-93H9-J8CH

GHSA-G98G-R7GF-2R25

Affected Products

Auth0-Php

Auth0/Laravel-Auth0

Auth0/Symfony

Auth0/Wordpress

CVE-2025-47275

Weakness Enumeration

Related Identifiers

Affected Products

References · 30