CVE-2025-48951

Name of the Vulnerable Software and Affected Versions Auth0-PHP versions 8.0.0-BETA3 through 8.14.0

Description The issue is due to insecure deserialization of cookie data. If exploited, a threat actor could send a specially crafted cookie containing malicious serialized data, as the SDK processes cookie content without prior authentication. Applications using the Auth0-PHP SDK, as well as those using the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs, are affected because they rely on the vulnerable Auth0-PHP SDK versions.

Recommendations For versions 8.0.0-BETA3 through 8.14.0, update to version 8.14.0 to patch the security flaw. As a temporary workaround, consider restricting the processing of cookie content to minimize the risk of exploitation.