GHSA-9fwj-9mjf-rhj3: 
PHP vulnerability analysis and mitigation

A critical vulnerability (GHSA-9fwj-9mjf-rhj3/CVE-2025-47275) was discovered in the laravel-auth0 SDK, affecting versions 8.0.0-BETA1 through versions prior to 8.14.0. The vulnerability involves session cookies of applications using the Auth0-PHP SDK configured with CookieStore having authentication tags that can be brute forced (GitHub Advisory).

The vulnerability received a Critical severity rating with a CVSS v3.1 base score of 9.1. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating network attack vector, low attack complexity, no privileges required, no user interaction needed, unchanged scope, and high impact on confidentiality and integrity with no impact on availability. The vulnerability is classified under CWE-287 (Improper Authentication) (GitHub Advisory).

The vulnerability could result in unauthorized access to affected applications. The high confidentiality and integrity impact ratings suggest that successful exploitation could lead to significant data exposure and system compromise (GitHub Advisory).

Users are advised to upgrade Auth0/laravel-auth0 to version 7.17.0. Additionally, it is recommended to rotate cookie encryption keys as a precautionary measure. It should be noted that after updating, any previous session cookies will be rejected (GitHub Advisory).

Okta acknowledged and credited Félix Charette for discovering this vulnerability (GitHub Advisory).