{"url":"http://public2.vulnerablecode.io/api/packages/85318?format=json","purl":"pkg:composer/auth0/symfony@5.1.0","type":"composer","namespace":"auth0","name":"symfony","version":"5.1.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.8.0","latest_non_vulnerable_version":"5.8.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47920?format=json","vulnerability_id":"VCID-547v-utjs-67dt","summary":"Auth0 Symfony SDK Does Not Properly Handle File Types in Bulk User Import\n### Overview\nIn applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs.\n\n### Am I affected?\nYou are affected by this vulnerability if you meet the following preconditions:\n1. Applications using the Auth0 Symfony SDK with versions between 2.0.2 and 5.4.1,\n2. Auth0 Symfony SDK uses the Auth0-PHP SDK with versions between 3.3.0 and 8.16.0.\n\n### Fix\nUpgrade Auth0/symfony to version 5.5.0 or greater.\n\n### Acknowledgement\nOkta would like to thank Mohamed Amine Saidani (pwni) for discovering this vulnerability.","references":[{"reference_url":"https://github.com/auth0/symfony","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/symfony"},{"reference_url":"https://github.com/auth0/symfony/commit/0b6dbd1a7e6ffeebf4cbb08831c9ca9052d2c577","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/symfony/commit/0b6dbd1a7e6ffeebf4cbb08831c9ca9052d2c577"},{"reference_url":"https://github.com/auth0/symfony/releases/tag/5.5.0","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/symfony/releases/tag/5.5.0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58769","reference_id":"CVE-2025-58769","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58769"},{"reference_url":"https://github.com/advisories/GHSA-7jp2-5h22-m432","reference_id":"GHSA-7jp2-5h22-m432","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7jp2-5h22-m432"},{"reference_url":"https://github.com/auth0/symfony/security/advisories/GHSA-7jp2-5h22-m432","reference_id":"GHSA-7jp2-5h22-m432","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/symfony/security/advisories/GHSA-7jp2-5h22-m432"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/70698?format=json","purl":"pkg:composer/auth0/symfony@5.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-frfk-gsqx-jfak"},{"vulnerability":"VCID-m55z-jsdf-w7dp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/auth0/symfony@5.5.0"}],"aliases":["GHSA-7jp2-5h22-m432"],"risk_score":1.5,"exploitability":"0.5","weighted_severity":"3.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-547v-utjs-67dt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90194?format=json","vulnerability_id":"VCID-frfk-gsqx-jfak","summary":"Auth0 Symfony SDK has Insufficient Entropy in Cookie Encryption\n### Impact\nIn applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies.\n\n### Am I Affected?\nConsumers are affected if their application meets the following preconditions:\n- It uses the Auth0 Symfony SDK, versions between 5.0.0 and 5.7.0\n- Auth0 Symfony SDK using the Auth0-PHP SDK versions between 8.0.0 to 8.18.0.\n\n### Resolution\nUpgrade Auth0/symfony-auth0 to version 5.8.0 or greater.","references":[{"reference_url":"https://github.com/auth0/symfony","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/symfony"},{"reference_url":"https://github.com/auth0/symfony/security/advisories/GHSA-ghc5-95c2-vwcv","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/symfony/security/advisories/GHSA-ghc5-95c2-vwcv"},{"reference_url":"https://github.com/advisories/GHSA-ghc5-95c2-vwcv","reference_id":"GHSA-ghc5-95c2-vwcv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ghc5-95c2-vwcv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/111516?format=json","purl":"pkg:composer/auth0/symfony@5.8.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/auth0/symfony@5.8.0"}],"aliases":["GHSA-ghc5-95c2-vwcv"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-frfk-gsqx-jfak"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57309?format=json","vulnerability_id":"VCID-fw36-r9j4-qqhf","summary":"Auth0 Symfony SDK Vulnerable to Brute Force Authentication Tags of CookieStore Sessions\n**Overview**\nSession cookies of applications using the Auth0 symfony SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access.\n\n**Am I Affected?**\nYou are affected by this vulnerability if you meet the following pre-conditions:\n1. Applications using the Auth0 symfony SDK with version <=5.3.1\n2. Auth0/Symfony SDK uses the Auth0-PHP SDK with version 8.0.0-BETA1 or higher and below 8.14.0.\n3. Session storage configured with CookieStore.\n\n\n**Fix**\nUpgrade Auth0/symfony to v5.4.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected.\n\n**Acknowledgement**\nOkta would like to thank FĂ©lix Charette for discovering this vulnerability.","references":[{"reference_url":"https://github.com/auth0/symfony","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/symfony"},{"reference_url":"https://github.com/auth0/symfony/commit/9a7294f08a32f17a0e77c8522a648195b6940340","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/symfony/commit/9a7294f08a32f17a0e77c8522a648195b6940340"},{"reference_url":"https://github.com/auth0/symfony/releases/tag/5.4.0","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/symfony/releases/tag/5.4.0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-47275","reference_id":"CVE-2025-47275","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-47275"},{"reference_url":"https://github.com/advisories/GHSA-9wg9-93h9-j8ch","reference_id":"GHSA-9wg9-93h9-j8ch","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9wg9-93h9-j8ch"},{"reference_url":"https://github.com/auth0/symfony/security/advisories/GHSA-9wg9-93h9-j8ch","reference_id":"GHSA-9wg9-93h9-j8ch","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/symfony/security/advisories/GHSA-9wg9-93h9-j8ch"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85153?format=json","purl":"pkg:composer/auth0/symfony@5.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-547v-utjs-67dt"},{"vulnerability":"VCID-frfk-gsqx-jfak"},{"vulnerability":"VCID-m55z-jsdf-w7dp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/auth0/symfony@5.4.0"}],"aliases":["GHSA-9wg9-93h9-j8ch"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fw36-r9j4-qqhf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49461?format=json","vulnerability_id":"VCID-m55z-jsdf-w7dp","summary":"Auth0 Symfony SDK has Improper Audience Validation via Auth0-PHP SDK\nIn applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.","references":[{"reference_url":"https://github.com/auth0/symfony","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/symfony"},{"reference_url":"https://github.com/auth0/symfony/commit/0103d6f8dcef6996653fad1f823d1c167f472479","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/symfony/commit/0103d6f8dcef6996653fad1f823d1c167f472479"},{"reference_url":"https://github.com/auth0/symfony/releases/tag/5.6.0","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/symfony/releases/tag/5.6.0"},{"reference_url":"https://github.com/advisories/GHSA-f3r2-88mq-9v4g","reference_id":"GHSA-f3r2-88mq-9v4g","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f3r2-88mq-9v4g"},{"reference_url":"https://github.com/auth0/symfony/security/advisories/GHSA-f3r2-88mq-9v4g","reference_id":"GHSA-f3r2-88mq-9v4g","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/symfony/security/advisories/GHSA-f3r2-88mq-9v4g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73022?format=json","purl":"pkg:composer/auth0/symfony@5.6.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-frfk-gsqx-jfak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/auth0/symfony@5.6.0"}],"aliases":["GHSA-f3r2-88mq-9v4g"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m55z-jsdf-w7dp"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57402?format=json","vulnerability_id":"VCID-q86z-xrnh-hbah","summary":"Auth0 Symfony SDK Deserialization of Untrusted Data vulnerability\n**Overview**\nThe Auth0 Symfony SDK contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data.\n\n\n**Am I Affected?**\nYou are affected by this vulnerability if you meet the following preconditions:\n\n1. Applications using the Auth0 Symfony SDK, versions between 5.0.0 BETA-0 to 5.0.0.\n2. Auth0 Symfony SDK uses the Auth0-PHP SDK with version 8.0.0-BETA3 to 8.3.0.\n\n**Fix**\nUpgrade Auth0/symfony to the latest version (v5.4.0).\n\n**Acknowledgement**\nOkta would like to thank Andreas Forsblom for discovering this vulnerability.","references":[{"reference_url":"https://github.com/auth0/symfony","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/symfony"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-48951","reference_id":"CVE-2025-48951","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-48951"},{"reference_url":"https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r","reference_id":"GHSA-862m-5253-832r","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r"},{"reference_url":"https://github.com/advisories/GHSA-98j6-67v3-mw34","reference_id":"GHSA-98j6-67v3-mw34","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-98j6-67v3-mw34"},{"reference_url":"https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34","reference_id":"GHSA-98j6-67v3-mw34","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34"},{"reference_url":"https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q","reference_id":"GHSA-c42h-56wx-h85q","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q"},{"reference_url":"https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492","reference_id":"GHSA-v9m8-9xxp-q492","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85318?format=json","purl":"pkg:composer/auth0/symfony@5.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-547v-utjs-67dt"},{"vulnerability":"VCID-frfk-gsqx-jfak"},{"vulnerability":"VCID-fw36-r9j4-qqhf"},{"vulnerability":"VCID-m55z-jsdf-w7dp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/auth0/symfony@5.1.0"}],"aliases":["GHSA-98j6-67v3-mw34"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q86z-xrnh-hbah"}],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/auth0/symfony@5.1.0"}