A newly disclosed vulnerability in the Auth0 PHP SDKβa widely-used authentication toolkit with over 16 million downloadsβposes a critical threat to web applications that rely on social and enterprise identity integration. The flaw, tracked as CVE-2025-48951, has received a CVSS score of 9.3, classifying it as critical.
βThe Auth0 PHP SDK contains a vulnerability due to insecure deserialization of cookie dataβ¦ a threat actor could send a specially crafted cookie containing malicious serialized data,β the advisory explains.
This flaw impacts versions 8.0.0-BETA3 through 8.3.0 of the SDK and all dependent frameworks, including:
auth0/symfony
auth0/laravel-auth0
auth0/wordpress
The vulnerability stems from how the SDK handles cookie data prior to authentication. Malicious actors could exploit this by sending tampered cookies containing serialized payloads that trigger arbitrary code execution or disrupt application logicβall without needing valid credentials.
βSince SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookieβ¦,β the advisory writes.
In applications where cookies are not properly isolated or verified, this flaw opens a door to remote code execution (RCE) and data compromiseβmaking it a prime target for attackers in the wild.
Youβre affected if:
Youβre using auth0/auth0-php between v8.0.0-BETA3 and v8.3.0.
Your application uses other SDKs that depend on these versions:
auth0/symfony
auth0/laravel-auth0
auth0/wordpress
Remediation is to upgrade Auth0/Auth0-PHP to the version v8.14.0 or later. This patched version ensures that serialized cookie data is validated securely before processing.