CVE-2025-48951: Auth0-PHP SDK Deserialization of Untrusted Data vulnerability

9.3 CVSS

Description

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.14.0 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Applications using the Auth0-PHP SDK are affected, as are applications using the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs, because those SDKsrely on the Auth0-PHP SDK versions from 8.0.0-BETA3 until 8.14.0. Version 8.14.0 contains a patch for the issue.

Classification

CVE ID: CVE-2025-48951

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.3

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H

Problem Types

CWE-502: Deserialization of Untrusted Data

Affected Products

Vendor: auth0

Product: auth0-PHP

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.06% (probability of being exploited)

EPSS Percentile: 19.14% (scored less or equal to compared to others)

EPSS Date: 2025-06-04 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-48951
https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492
https://github.com/auth0/auth0-PHP/commit/52a79480fdb246f59dbc089b81a784ae049bd389

Timeline

2025-06-03 21:40:13 UTC
CVE

Auth0-PHP SDK Deserialization of Untrusted Data vulnerability
2025-06-04 21:15:34 UTC
Github Advisory Database (Composer)

[auth0/auth0-php] Auth0-PHP SDK Deserialization of Untrusted Data vulnerability
2025-06-05 01:30:36 UTC
Github Advisory Database (Composer)

[auth0/wordpress] Auth0 Wordpress Plugin vulnerable to Deserialization of Untrusted Data