{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-47275", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-05-05T16:53:10.372Z", "datePublished": "2025-05-15T21:13:01.150Z", "dateUpdated": "2025-05-22T20:03:34.201Z"}, "containers": {"cna": {"title": "Brute Force Authentication Tags of CookieStore Sessions in Auth0-PHP SDK", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-g98g-r7gf-2r25", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-g98g-r7gf-2r25"}, {"name": "https://github.com/auth0/laravel-auth0/security/advisories/GHSA-9fwj-9mjf-rhj3", "tags": ["x_refsource_MISC"], "url": "https://github.com/auth0/laravel-auth0/security/advisories/GHSA-9fwj-9mjf-rhj3"}, {"name": "https://github.com/auth0/symfony/security/advisories/GHSA-9wg9-93h9-j8ch", "tags": ["x_refsource_MISC"], "url": "https://github.com/auth0/symfony/security/advisories/GHSA-9wg9-93h9-j8ch"}, {"name": "https://github.com/auth0/wordpress/security/advisories/GHSA-2f4r-34m4-3w8q", "tags": ["x_refsource_MISC"], "url": "https://github.com/auth0/wordpress/security/advisories/GHSA-2f4r-34m4-3w8q"}, {"name": "https://github.com/auth0/auth0-PHP/commit/52a79480fdb246f59dbc089b81a784ae049bd389", "tags": ["x_refsource_MISC"], "url": "https://github.com/auth0/auth0-PHP/commit/52a79480fdb246f59dbc089b81a784ae049bd389"}, {"name": "https://github.com/auth0/auth0-PHP/releases/tag/8.14.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/auth0/auth0-PHP/releases/tag/8.14.0"}], "affected": [{"vendor": "auth0", "product": "auth0-PHP", "versions": [{"version": ">= 8.0.0-BETA1, < 8.14.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-22T20:03:34.201Z"}, "descriptions": [{"lang": "en", "value": "Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Starting in version 8.0.0-BETA1 and prior to version 8.14.0, session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. Certain pre-conditions are required to be vulnerable to this issue: Applications using the Auth0-PHP SDK, or the Auth0/symfony, Auth0/laravel-auth0, and Auth0/wordpress SDKs that rely on the Auth0-PHP SDK; and session storage configured with CookieStore. Upgrade Auth0/Auth0-PHP to v8.14.0 to receive a patch. As an additional precautionary measure, rotating cookie encryption keys is recommended. Note that once updated, any previous session cookies will be rejected."}], "source": {"advisory": "GHSA-g98g-r7gf-2r25", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-16T13:37:38.336273Z", "id": "CVE-2025-47275", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-16T13:37:44.844Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-47275", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-16T13:37:38.336273Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-16T13:37:42.164Z"}}], "cna": {"title": "Brute Force Authentication Tags of CookieStore Sessions in Auth0-PHP SDK", "source": {"advisory": "GHSA-g98g-r7gf-2r25", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "auth0", "product": "auth0-PHP", "versions": [{"status": "affected", "version": ">= 8.0.0-BETA1, < 8.14.0"}]}], "references": [{"url": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-g98g-r7gf-2r25", "name": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-g98g-r7gf-2r25", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/auth0/laravel-auth0/security/advisories/GHSA-9fwj-9mjf-rhj3", "name": "https://github.com/auth0/laravel-auth0/security/advisories/GHSA-9fwj-9mjf-rhj3", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/auth0/symfony/security/advisories/GHSA-9wg9-93h9-j8ch", "name": "https://github.com/auth0/symfony/security/advisories/GHSA-9wg9-93h9-j8ch", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/auth0/wordpress/security/advisories/GHSA-2f4r-34m4-3w8q", "name": "https://github.com/auth0/wordpress/security/advisories/GHSA-2f4r-34m4-3w8q", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/auth0/auth0-PHP/commit/52a79480fdb246f59dbc089b81a784ae049bd389", "name": "https://github.com/auth0/auth0-PHP/commit/52a79480fdb246f59dbc089b81a784ae049bd389", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/auth0/auth0-PHP/releases/tag/8.14.0", "name": "https://github.com/auth0/auth0-PHP/releases/tag/8.14.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Starting in version 8.0.0-BETA1 and prior to version 8.14.0, session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. Certain pre-conditions are required to be vulnerable to this issue: Applications using the Auth0-PHP SDK, or the Auth0/symfony, Auth0/laravel-auth0, and Auth0/wordpress SDKs that rely on the Auth0-PHP SDK; and session storage configured with CookieStore. Upgrade Auth0/Auth0-PHP to v8.14.0 to receive a patch. As an additional precautionary measure, rotating cookie encryption keys is recommended. Note that once updated, any previous session cookies will be rejected."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-22T20:03:34.201Z"}}}, "cveMetadata": {"cveId": "CVE-2025-47275", "state": "PUBLISHED", "dateUpdated": "2025-05-22T20:03:34.201Z", "dateReserved": "2025-05-05T16:53:10.372Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-05-15T21:13:01.150Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Starting in version 8.0.0-BETA1 and prior to version 8.14.0, session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. Certain pre-conditions are required to be vulnerable to this issue: Applications using the Auth0-PHP SDK, or the Auth0/symfony, Auth0/laravel-auth0, and Auth0/wordpress SDKs that rely on the Auth0-PHP SDK; and session storage configured with CookieStore. Upgrade Auth0/Auth0-PHP to v8.14.0 to receive a patch. As an additional precautionary measure, rotating cookie encryption keys is recommended. Note that once updated, any previous session cookies will be rejected."}, {"lang": "es", "value": "Auth0-PHP proporciona el SDK de PHP para las API de autenticaci\u00f3n y administraci\u00f3n de Auth0. A partir de la versi\u00f3n 8.0.0-BETA1 y anteriores a la 8.14.0, las cookies de sesi\u00f3n de las aplicaciones que utilizan el SDK de Auth0-PHP configurado con CookieStore tienen etiquetas de autenticaci\u00f3n susceptibles de ataques de fuerza bruta, lo que puede provocar accesos no autorizados. Se requieren ciertas condiciones para ser vulnerables a este problema: Aplicaciones que utilizan el SDK de Auth0-PHP o los SDK de Auth0/Symfony, Auth0/Laravel-auth0 y Auth0/WordPress que dependen del SDK de Auth0-PHP; y almacenamiento de sesiones configurado con CookieStore. Actualice Auth0/Auth0-PHP a la versi\u00f3n 8.14.0 para recibir una actualizaci\u00f3n. Como medida de precauci\u00f3n adicional, se recomienda rotar las claves de cifrado de cookies. Tenga en cuenta que, una vez actualizada, se rechazar\u00e1n las cookies de sesi\u00f3n anteriores."}], "id": "CVE-2025-47275", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-05-15T22:15:18.667", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/auth0/auth0-PHP/commit/52a79480fdb246f59dbc089b81a784ae049bd389"}, {"source": "security-advisories@github.com", "url": "https://github.com/auth0/auth0-PHP/releases/tag/8.14.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-g98g-r7gf-2r25"}, {"source": "security-advisories@github.com", "url": "https://github.com/auth0/laravel-auth0/security/advisories/GHSA-9fwj-9mjf-rhj3"}, {"source": "security-advisories@github.com", "url": "https://github.com/auth0/symfony/security/advisories/GHSA-9wg9-93h9-j8ch"}, {"source": "security-advisories@github.com", "url": "https://github.com/auth0/wordpress/security/advisories/GHSA-2f4r-34m4-3w8q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}