Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN341

_____________________________________________________________________

DATE                : 06/06/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running auth0-php versions prior to 8.3.1,
                     laravel-auth0 versions prior to 7.2.2,
                     Auth0 Symfony versions prior to 5.1.0,
                     Auth0 Wordpress versions prior to 5.1.0.

=====================================================================
https://github.com/advisories/GHSA-v9m8-9xxp-q492
https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q
https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34
https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r
_____________________________________________________________________


Auth0-PHP SDK Deserialization of Untrusted Data vulnerability
Critical severity GitHub Reviewed Published Jun 3, 2025 in
auth0/auth0-PHP • Updated Jun 4, 2025

Vulnerability details

Package
auth0/auth0-php (Composer)

Affected versions
>= 8.0.0-BETA3, < 8.3.1

Patched versions
8.3.1

Description

Overview
The Auth0 PHP SDK contains a vulnerability due to insecure
deserialization of cookie data. If exploited, since SDKs process cookie
content without prior authentication, a threat actor could send a
specially crafted cookie containing malicious serialized data.


Am I Affected?
You are affected by this vulnerability if you meet the following
preconditions:

    Applications using the Auth0-PHP SDK, versions between 8.0.0-BETA3
to 8.3.0.
    Applications using the following SDKs that rely on the Auth0-PHP
SDK versions between 8.0.0-BETA3 to 8.3.0:
    a. Auth0/symfony,
    b. Auth0/laravel-auth0,
    c. Auth0/wordpress.

Fix
Upgrade Auth0/Auth0-PHP to 8.3.1.


Acknowledgement

Okta would like to thank Andreas Forsblom for discovering this vulnerability.
References

    GHSA-v9m8-9xxp-q492
    https://nvd.nist.gov/vuln/detail/CVE-2025-48951
    auth0/auth0-PHP@04b1f5d
    GHSA-c42h-56wx-h85q
    GHSA-98j6-67v3-mw34
    GHSA-862m-5253-832r


Severity
Critical

9.3/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity High
Availability None
Subsequent System Impact Metrics
Confidentiality High
Integrity High
Availability High
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H

EPSS score
0.083%(25th percentile)

Weaknesses
CWE-502

CVE ID
CVE-2025-48951

GHSA ID
GHSA-v9m8-9xxp-q492

Source code
auth0/auth0-PHP

_____________________________________________________________________


Deserialization of Untrusted Data in laravel-auth0 SDK
Critical
femiajiboye-okta published GHSA-c42h-56wx-h85q Jun 3, 2025

Package
auth0/login (Composer)

Affected versions
>=7.0.0-BETA1, <= 7.2.1

Patched versions
7.2.2


Description

Overview
The laravel-auth0 SDK contains a critical vulnerability due to
insecure deserialization of cookie data. If exploited, since SDKs
process cookie content without prior authentication, a threat actor
could send a specially crafted cookie containing malicious serialized
data.


Am I Affected?
You are affected by this vulnerability if you meet the following
preconditions:

    Applications using laravel-auth0 SDK, versions between
7.0.0-BETA1 to 7.2.1.
    Laravel-auth0 SDK uses the Auth0-PHP SDK with version
8.0.0-BETA3 to 8.3.0.


Fix
Upgrade Auth0/laravel-auth0 to the latest version (v7.17.0).


Acknowledgement

Okta would like to thank Andreas Forsblom for discovering this
vulnerability.

Severity
Critical

9.3/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity High
Availability None
Subsequent System Impact Metrics
Confidentiality High
Integrity High
Availability High
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H

CVE ID
CVE-2025-48951

Weaknesses
No CWEs

_____________________________________________________________________


Deserialization of Untrusted Data in Auth0 Symfony SDK
Critical
femiajiboye-okta published GHSA-98j6-67v3-mw34 Jun 3, 2025

Package
auth0/symfony (Composer)

Affected versions
>=5.0.0 BETA-0,<= 5.0.0

Patched versions
5.1.0


Description

Overview
The Auth0 Symfony SDK contains a critical vulnerability due to
insecure deserialization of cookie data. If exploited, since SDKs
process cookie content without prior authentication, a threat
actor could send a specially crafted cookie containing malicious
serialized data.


Am I Affected?
You are affected by this vulnerability if you meet the following
preconditions:

    Applications using the Auth0 Symfony SDK, versions between
5.0.0 BETA-0 to 5.0.0.
    Auth0 Symfony SDK uses the Auth0-PHP SDK with version
8.0.0-BETA3 to 8.3.0.


Fix
Upgrade Auth0/symfony to the latest version (v5.4.0).


Acknowledgement

Okta would like to thank Andreas Forsblom for discovering this
vulnerability.


Severity
Critical

9.3/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity High
Availability None
Subsequent System Impact Metrics
Confidentiality High
Integrity High
Availability High
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H

CVE ID
CVE-2025-48951

Weaknesses
No CWEs

_____________________________________________________________________

Deserialization of Untrusted Data in Auth0 Wordpress Plugin
Critical
femiajiboye-okta published GHSA-862m-5253-832r Jun 3, 2025

Package
auth0/wordpress (Composer)

Affected versions
>=5.0.0 BETA-0, <= 5.0.1

Patched versions
5.1.0


Description

Overview
The Auth0 Wordpress plugin contains a critical vulnerability due to
insecure deserialization of cookie data. If exploited, since SDKs
process cookie content without prior authentication, a threat actor
could send a specially crafted cookie containing malicious serialized
data.


Am I Affected?

You are affected by this vulnerability if you meet the following
preconditions:

    Applications using the Auth0 WordPress plugin, versions between
5.0.0 BETA-0 to 5.0.1.
    Auth0 WordPress plugin uses the Auth0-PHP SDK with version
8.0.0-BETA3 to 8.3.0.


Fix
Upgrade the Auth0 WordPress plugin to the latest version (v5.3.0).


Severity
Critical

9.3/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity High
Availability None
Subsequent System Impact Metrics
Confidentiality High
Integrity High
Availability High
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H

CVE ID
CVE-2025-48951

Weaknesses
No CWEs


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================