Refine your search
4 vulnerabilities found for auth0-PHP by auth0
CVE-2026-34236 (GCVE-0-2026-34236)
Vulnerability from cvelistv5
Published
2026-04-01 17:04
Modified
2026-04-01 17:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-331 - Insufficient Entropy
Summary
Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. This issue has been patched in version 8.19.0.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34236",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T17:59:49.583107Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T17:59:59.001Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "auth0-PHP",
"vendor": "auth0",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.19.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. This issue has been patched in version 8.19.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-331",
"description": "CWE-331: Insufficient Entropy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T17:04:53.378Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-w3wc-44p4-m4j7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-w3wc-44p4-m4j7"
},
{
"name": "https://github.com/auth0/auth0-PHP/releases/tag/8.19.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/auth0-PHP/releases/tag/8.19.0"
}
],
"source": {
"advisory": "GHSA-w3wc-44p4-m4j7",
"discovery": "UNKNOWN"
},
"title": "Auth0 PHP SDK Insufficient Entropy in Cookie Encryption"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34236",
"datePublished": "2026-04-01T17:04:53.378Z",
"dateReserved": "2026-03-26T16:22:29.034Z",
"dateUpdated": "2026-04-01T17:59:59.001Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68129 (GCVE-0-2025-68129)
Vulnerability from cvelistv5
Published
2025-12-17 22:07
Modified
2025-12-18 15:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Projects are affected if they use Auth0-PHP SDK versions between v8.0.0 and v8.17.0, or applications using the following SDKs that rely on the Auth0-PHP SDK versions between v8.0.0 and v8.17.0: Auth0/symfony versions between 5.0.0 and 5.5.0, Auth0/laravel-auth0 versions between 7.0.0 and 7.19.0, and/or Auth0/wordpress plugin versions between 5.0.0-BETA0 and 5.4.0. Auth0/Auth0-PHP version 8.18.0 contains a patch for the issue.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68129",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T14:53:59.445866Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T15:07:22.780Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "auth0-PHP",
"vendor": "auth0",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.18.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Projects are affected if they use Auth0-PHP SDK versions between v8.0.0 and v8.17.0, or applications using the following SDKs that rely on the Auth0-PHP SDK versions between v8.0.0 and v8.17.0: Auth0/symfony versions between 5.0.0 and 5.5.0, Auth0/laravel-auth0 versions between 7.0.0 and 7.19.0, and/or Auth0/wordpress plugin versions between 5.0.0-BETA0 and 5.4.0. Auth0/Auth0-PHP version 8.18.0 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T22:07:35.645Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-j2vm-wrq3-f7gf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-j2vm-wrq3-f7gf"
},
{
"name": "https://github.com/auth0/laravel-auth0/security/advisories/GHSA-7hh9-gp72-wh7h",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/laravel-auth0/security/advisories/GHSA-7hh9-gp72-wh7h"
},
{
"name": "https://github.com/auth0/symfony/security/advisories/GHSA-f3r2-88mq-9v4g",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/symfony/security/advisories/GHSA-f3r2-88mq-9v4g"
},
{
"name": "https://github.com/auth0/wordpress/security/advisories/GHSA-vvg7-8rmq-92g7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/wordpress/security/advisories/GHSA-vvg7-8rmq-92g7"
},
{
"name": "https://github.com/auth0/auth0-PHP/commit/7fe700053aee609718460c123f00f53c511f0f7f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/auth0-PHP/commit/7fe700053aee609718460c123f00f53c511f0f7f"
},
{
"name": "https://github.com/auth0/laravel-auth0/commit/a1c3344dc0e5a36e8f56c8cfc535728d3d7558f3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/laravel-auth0/commit/a1c3344dc0e5a36e8f56c8cfc535728d3d7558f3"
},
{
"name": "https://github.com/auth0/symfony/commit/0103d6f8dcef6996653fad1f823d1c167f472479",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/symfony/commit/0103d6f8dcef6996653fad1f823d1c167f472479"
},
{
"name": "https://github.com/auth0/wordpress/commit/b207c6f7fd06507b90c4e6bcc18a857ef9e018de",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/wordpress/commit/b207c6f7fd06507b90c4e6bcc18a857ef9e018de"
},
{
"name": "https://github.com/auth0/auth0-PHP/releases/tag/8.18.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/auth0-PHP/releases/tag/8.18.0"
},
{
"name": "https://github.com/auth0/laravel-auth0/releases/tag/7.20.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/laravel-auth0/releases/tag/7.20.0"
},
{
"name": "https://github.com/auth0/symfony/releases/tag/5.6.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/symfony/releases/tag/5.6.0"
},
{
"name": "https://github.com/auth0/wordpress/releases/tag/5.5.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/wordpress/releases/tag/5.5.0"
}
],
"source": {
"advisory": "GHSA-j2vm-wrq3-f7gf",
"discovery": "UNKNOWN"
},
"title": "Auth0-PHP SDK has Improper Audience Validation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68129",
"datePublished": "2025-12-17T22:07:35.645Z",
"dateReserved": "2025-12-15T18:05:52.209Z",
"dateUpdated": "2025-12-18T15:07:22.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48951 (GCVE-0-2025-48951)
Vulnerability from cvelistv5
Published
2025-06-03 20:52
Modified
2025-06-04 20:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Summary
Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Applications using the Auth0-PHP SDK are affected, as are applications using the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs, because those SDKsrely on the Auth0-PHP SDK versions from 8.0.0-BETA3 until 8.14.0. Version 8.3.1 contains a patch for the issue.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48951",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-04T13:33:17.352742Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-04T13:33:26.037Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "auth0-PHP",
"vendor": "auth0",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.0.0-BETA3, \u003c 8.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Applications using the Auth0-PHP SDK are affected, as are applications using the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs, because those SDKsrely on the Auth0-PHP SDK versions from 8.0.0-BETA3 until 8.14.0. Version 8.3.1 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-04T20:32:18.609Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492"
},
{
"name": "https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q"
},
{
"name": "https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34"
},
{
"name": "https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r"
},
{
"name": "https://github.com/auth0/auth0-PHP/commit/04b1f5daa8bdfebc5e740ec5ca0fb2df1648a715",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/auth0-PHP/commit/04b1f5daa8bdfebc5e740ec5ca0fb2df1648a715"
}
],
"source": {
"advisory": "GHSA-v9m8-9xxp-q492",
"discovery": "UNKNOWN"
},
"title": "Auth0-PHP SDK Deserialization of Untrusted Data vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48951",
"datePublished": "2025-06-03T20:52:35.064Z",
"dateReserved": "2025-05-28T18:49:07.585Z",
"dateUpdated": "2025-06-04T20:32:18.609Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47275 (GCVE-0-2025-47275)
Vulnerability from cvelistv5
Published
2025-05-15 21:13
Modified
2025-05-22 20:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Starting in version 8.0.0-BETA1 and prior to version 8.14.0, session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. Certain pre-conditions are required to be vulnerable to this issue: Applications using the Auth0-PHP SDK, or the Auth0/symfony, Auth0/laravel-auth0, and Auth0/wordpress SDKs that rely on the Auth0-PHP SDK; and session storage configured with CookieStore. Upgrade Auth0/Auth0-PHP to v8.14.0 to receive a patch. As an additional precautionary measure, rotating cookie encryption keys is recommended. Note that once updated, any previous session cookies will be rejected.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47275",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-16T13:37:38.336273Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-16T13:37:44.844Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "auth0-PHP",
"vendor": "auth0",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.0.0-BETA1, \u003c 8.14.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Starting in version 8.0.0-BETA1 and prior to version 8.14.0, session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. Certain pre-conditions are required to be vulnerable to this issue: Applications using the Auth0-PHP SDK, or the Auth0/symfony, Auth0/laravel-auth0, and Auth0/wordpress SDKs that rely on the Auth0-PHP SDK; and session storage configured with CookieStore. Upgrade Auth0/Auth0-PHP to v8.14.0 to receive a patch. As an additional precautionary measure, rotating cookie encryption keys is recommended. Note that once updated, any previous session cookies will be rejected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T20:03:34.201Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-g98g-r7gf-2r25",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-g98g-r7gf-2r25"
},
{
"name": "https://github.com/auth0/laravel-auth0/security/advisories/GHSA-9fwj-9mjf-rhj3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/laravel-auth0/security/advisories/GHSA-9fwj-9mjf-rhj3"
},
{
"name": "https://github.com/auth0/symfony/security/advisories/GHSA-9wg9-93h9-j8ch",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/symfony/security/advisories/GHSA-9wg9-93h9-j8ch"
},
{
"name": "https://github.com/auth0/wordpress/security/advisories/GHSA-2f4r-34m4-3w8q",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/wordpress/security/advisories/GHSA-2f4r-34m4-3w8q"
},
{
"name": "https://github.com/auth0/auth0-PHP/commit/52a79480fdb246f59dbc089b81a784ae049bd389",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/auth0-PHP/commit/52a79480fdb246f59dbc089b81a784ae049bd389"
},
{
"name": "https://github.com/auth0/auth0-PHP/releases/tag/8.14.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/auth0-PHP/releases/tag/8.14.0"
}
],
"source": {
"advisory": "GHSA-g98g-r7gf-2r25",
"discovery": "UNKNOWN"
},
"title": "Brute Force Authentication Tags of CookieStore Sessions in Auth0-PHP SDK"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-47275",
"datePublished": "2025-05-15T21:13:01.150Z",
"dateReserved": "2025-05-05T16:53:10.372Z",
"dateUpdated": "2025-05-22T20:03:34.201Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}