logo

Database

Insecure deserialization In auth0/auth0-php

Description

Auth0-PHP SDK Deserialization of Untrusted Data vulnerability Overview The Auth0 PHP SDK contains a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data.

Am I Affected? You are affected by this vulnerability if you meet the following preconditions:

    Applications using the Auth0-PHP SDK, versions between 8.0.0-BETA3 to 8.3.0.

    Applications using the following SDKs that rely on the Auth0-PHP SDK versions between 8.0.0-BETA3 to 8.3.0: a. Auth0/symfony, b. Auth0/laravel-auth0, c. Auth0/wordpress.

Fix Upgrade Auth0/Auth0-PHP to 8.3.1.

Acknowledgement Okta would like to thank Andreas Forsblom for discovering this vulnerability.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-489512. NVD-2025-489513. OSV-2025-489514. GHSA-v9m8-9xxp-q4925. GHSA-c42h-56wx-h85q6. GHSA-98j6-67v3-mw347. GHSA-862m-5253-832r8. GCVE-2025-48951

References

1. https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q4922. https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q3. https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw344. https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r5. https://github.com/auth0/auth0-PHP/commit/04b1f5daa8bdfebc5e740ec5ca0fb2df1648a715

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.