CVE-2025-48951

{"id": "CVE-2025-48951", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-03T21:15:21.840", "references": [{"url": "https://github.com/auth0/auth0-PHP/commit/04b1f5daa8bdfebc5e740ec5ca0fb2df1648a715", "source": "security-advisories@github.com"}, {"url": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492", "source": "security-advisories@github.com"}, {"url": "https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q", "source": "security-advisories@github.com"}, {"url": "https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34", "source": "security-advisories@github.com"}, {"url": "https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r", "source": "security-advisories@github.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Applications using the Auth0-PHP SDK are affected, as are applications using the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs, because those SDKsrely on the Auth0-PHP SDK versions from 8.0.0-BETA3 until 8.14.0. Version 8.3.1 contains a patch for the issue."}, {"lang": "es", "value": "Auth0-PHP es un SDK de PHP para las API de autenticaci\u00f3n y administraci\u00f3n de Auth0. Las versiones 8.0.0-BETA3 anteriores a la 8.14.0 contienen una vulnerabilidad debido a la deserializaci\u00f3n insegura de los datos de las cookies. Si se explota, dado que los SDK procesan el contenido de las cookies sin autenticaci\u00f3n previa, un atacante podr\u00eda enviar una cookie especialmente dise\u00f1ada con datos serializados maliciosos. Las aplicaciones que utilizan el SDK de Auth0-PHP se ven afectadas, al igual que las aplicaciones que utilizan los SDK de Auth0/Symfony, Auth0/Laravel-auth0 o Auth0/WordPress, ya que estos SDK dependen de las versiones 8.0.0-BETA3 a 8.14.0 del SDK de Auth0-PHP. La versi\u00f3n 8.3.1 incluye un parche para este problema.\n"}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "security-advisories@github.com"}