logo

Database

Improper authorization control for web services In auth0/auth0-php

Description

Brute Force Authentication Tags of CookieStore Sessions in Auth0-PHP SDK Overview Session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access.

Am I Affected? You are affected by this vulnerability if you meet the following pre-conditions:

    Applications using the Auth0-PHP SDK, or the following SDKs that rely on the Auth0-PHP SDK: a. Auth0/symfony, b. Auth0/laravel-auth0, c. Auth0/wordpress,

    Session storage configured with CookieStore.

Fix Upgrade Auth0/Auth0-PHP to v8.14.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected.

Acknowledgement Okta would like to thank Félix Charette for discovering this vulnerability.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-472752. NVD-2025-472753. OSV-2025-472754. GHSA-g98g-r7gf-2r255. GHSA-9fwj-9mjf-rhj36. GHSA-9wg9-93h9-j8ch7. GHSA-2f4r-34m4-3w8q8. GCVE-2025-47275

References

1. https://github.com/auth0/auth0-PHP/security/advisories/GHSA-g98g-r7gf-2r252. https://github.com/auth0/laravel-auth0/security/advisories/GHSA-9fwj-9mjf-rhj33. https://github.com/auth0/symfony/security/advisories/GHSA-9wg9-93h9-j8ch4. https://github.com/auth0/wordpress/security/advisories/GHSA-2f4r-34m4-3w8q5. https://github.com/auth0/auth0-PHP/commit/52a79480fdb246f59dbc089b81a784ae049bd3896. https://github.com/auth0/auth0-PHP/releases/tag/8.14.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.