CVE-2025-47275: Critical Authentication Flaw in Auth0-PHP SDK

Overview

CVE-2025-47275 is a critical vulnerability in the Auth0-PHP SDK affecting versions from 8.0.0-BETA1 up to (but not including) 8.14.0. This vulnerability involves forgeable encrypted session cookies that can allow unauthorized access under specific conditions. The flaw impacts applications configured to use CookieStore for session management.

Technical Details

The vulnerability is categorized as CWE-287: Improper Authentication. It stems from weak authentication tags used in encrypted session cookies. These tags can potentially be brute-forced, enabling attackers to forge session cookies and gain unauthorized access to an application without credentials.

The attack is possible only under certain preconditions:

• The application uses the Auth0-PHP SDK version >= 8.0.0-BETA1 and < 8.14.0
• CookieStore is used for storing session data
• Dependent integrations such as auth0/laravel-auth0, auth0/symfony, or auth0/wordpress may also be impacted

Severity and CVSS Score

This issue has been scored with a CVSS v3.1 base score of 9.1 (Critical):

• Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
• Confidentiality and Integrity impact: High
• Attack complexity: Low

The vulnerability can be exploited remotely over the network without user interaction or authentication, highlighting its high risk profile.

SSVC Analysis

The CISA Stakeholder-Specific Vulnerability Categorization (SSVC) indicates:

• No known active exploitation
• Automatable attack scenario
• Total technical impact if exploited

This categorization further reinforces the urgency of mitigation.

Mitigation Recommendations

To mitigate CVE-2025-47275, take the following steps:

• Upgrade to Auth0-PHP SDK version 8.14.0 or later
• Rotate your cookie encryption keys
• Be aware that after updating, all existing session cookies will become invalid

References

• Auth0-PHP Security Advisory
• Laravel Auth0 Advisory
• Symfony Auth0 Advisory
• WordPress Auth0 Advisory
• Auth0-PHP 8.14.0 Release Notes

Given the potential for unauthorized access, prompt remediation is strongly recommended for all affected applications.