GHSA-9wg9-93h9-j8ch: 
PHP vulnerability analysis and mitigation

The Auth0 Symfony SDK vulnerability (GHSA-9wg9-93h9-j8ch/CVE-2025-47275) affects applications using Auth0-PHP SDK versions between 8.0.0-BETA1 and prior to 8.14.0 that are configured with CookieStore. The vulnerability was discovered by Félix Charette and disclosed on May 15, 2025. The issue specifically impacts session cookies of applications using the Auth0 Symfony SDK (versions <=5.3.1) where authentication tags can be brute forced (GitHub Advisory).

The vulnerability has been assigned a Critical severity rating with a CVSS v3.1 base score of 9.1. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges or user interaction, and can result in high impacts to both confidentiality and integrity. The vulnerability is classified under CWE-287 (Improper Authentication) (GitHub Advisory).

The vulnerability could result in unauthorized access to affected applications. The high CVSS scores for both confidentiality and integrity (H) indicate that attackers could potentially gain access to sensitive information and modify data within the application scope (GitHub Advisory).

Users are advised to upgrade Auth0/symfony to version 5.4.0 to address the vulnerability. Additionally, it is recommended to rotate cookie encryption keys as a precautionary measure. It should be noted that after updating, any previous session cookies will be rejected (GitHub Advisory).