logo

Database

Insecure deserialization In auth0/symfony

Description

Auth0 Symfony SDK Deserialization of Untrusted Data vulnerability Overview The Auth0 Symfony SDK contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data.

Am I Affected? You are affected by this vulnerability if you meet the following preconditions:

    Applications using the Auth0 Symfony SDK, versions between 5.0.0 BETA-0 to 5.0.0.

    Auth0 Symfony SDK uses the Auth0-PHP SDK with version 8.0.0-BETA3 to 8.3.0.

Fix Upgrade Auth0/symfony to the latest version (v5.4.0).

Acknowledgement Okta would like to thank Andreas Forsblom for discovering this vulnerability.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. NVD-2025-489512. GHSA-v9m8-9xxp-q4923. GHSA-c42h-56wx-h85q4. GHSA-98j6-67v3-mw345. GHSA-862m-5253-832r6. GCVE-GHSA-98j6-67v3-mw34

References

1. https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q4922. https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q3. https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw344. https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.