What the vulnerability does
01Description
Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Applications using the Auth0-PHP SDK are affected, as are applications using the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs, because those SDKsrely on the Auth0-PHP SDK versions from 8.0.0-BETA3 until 8.14.0. Version 8.3.1 contains a patch for the issue.
Explanation of Vulnerability in Simple Terms
02Summary
Auth0's PHP SDK versions 8.0.0-BETA3 through 8.3.0 contain a deserialization vulnerability in how they handle untrusted data. An attacker can craft malicious serialized objects that, when processed by the SDK, execute arbitrary PHP code on the server. This affects any application using the vulnerable SDK versions to handle authentication or session data from untrusted sources.
What an attacker can do
03Attacker Capabilities
Run arbitrary PHP code on the server by sending malicious serialized data to the application.
Potential impact on your site
04Site Impact
Complete server compromise possible; attacker can read files, modify data, or take full control of the site.
Conditions required to exploit
05Prerequisites
Network access to the application; no authentication or user interaction required.
Key dates
06Disclosure timeline
June 3, 2025
CVE published
June 4, 2025
Record updated
