CVE-2025-47275: 
PHP vulnerability analysis and mitigation

Auth0-PHP SDK, starting in version 8.0.0-BETA1 and prior to version 8.14.0, contains a critical security vulnerability (CVE-2025-47275) discovered by Félix Charette and disclosed on May 15, 2025. The vulnerability affects applications using the Auth0-PHP SDK configured with CookieStore, as well as related SDKs including Auth0/symfony, Auth0/laravel-auth0, and Auth0/wordpress that rely on the Auth0-PHP SDK (GitHub Advisory).

The vulnerability exists in the CookieStore implementation where session cookies have authentication tags that can be brute forced. The issue has been assigned a CVSS v3.1 score of 9.1 (Critical) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating it requires no user interaction or special privileges to exploit (GitHub Advisory, Wiz).

If successfully exploited, this vulnerability could result in unauthorized access to user accounts. The high CVSS score reflects the potential for significant impact on both confidentiality and integrity of the affected systems, though availability is not impacted (GitHub Advisory).

Users should upgrade Auth0/Auth0-PHP to version 8.14.0 which contains a patch for this vulnerability. Additionally, it is recommended to rotate cookie encryption keys as a precautionary measure. Note that after updating, any previous session cookies will be rejected. For related SDKs, the following versions contain fixes: Auth0/laravel-auth0 v7.17.0, Auth0/symfony v5.4.0, and Auth0/wordpress v5.3.0 (GitHub Advisory).

Okta has issued a critical security advisory warning developers and enterprises using the Auth0-PHP SDK about the vulnerability, emphasizing the importance of immediate updates (Security Online).