GHSA-9wg9-93h9-j8ch: 
PHP vulnerability analysis and mitigation

The Auth0 Symfony SDK vulnerability (GHSA-9wg9-93h9-j8ch/CVE-2025-47275) was discovered by Félix Charette and disclosed on May 15, 2025. The vulnerability affects applications using Auth0-PHP SDK versions between 8.0.0-BETA1 and prior to 8.14.0 that are configured with CookieStore, as well as Auth0/symfony SDK versions less than or equal to 5.3.1 (GitHub Advisory, Wiz).

The vulnerability has been assigned a Critical severity rating with a CVSS v3.1 base score of 9.1. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges or user interaction, and can result in high impacts to both confidentiality and integrity. The vulnerability is classified under CWE-287 (Improper Authentication) (GitHub Advisory, Wiz).

The vulnerability could result in unauthorized access to affected applications. The high CVSS scores for both confidentiality and integrity (H) indicate that attackers could potentially gain access to sensitive information and modify data within the application scope (Wiz).

Users are advised to upgrade Auth0/symfony to version 5.4.0 to address the vulnerability. Additionally, it is recommended to rotate cookie encryption keys as a precautionary measure. It should be noted that after updating, any previous session cookies will be rejected (GitHub Advisory, Wiz).