VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-kkcj-dvp9-tbg4

Essentials
Severities (26)
References (9)
Severity details (21)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-kkcj-dvp9-tbg4
Aliases	CVE-2025-48951 GHSA-v9m8-9xxp-q492
Summary	Auth0-PHP SDK Deserialization of Untrusted Data vulnerability Overview The Auth0 PHP SDK contains a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Am I Affected? You are affected by this vulnerability if you meet the following preconditions: 1. Applications using the Auth0-PHP SDK, versions between 8.0.0-BETA3 to 8.3.0. 2. Applications using the following SDKs that rely on the Auth0-PHP SDK versions between 8.0.0-BETA3 to 8.3.0: a. Auth0/symfony, b. Auth0/laravel-auth0, c. Auth0/wordpress. Fix Upgrade Auth0/Auth0-PHP to 8.3.1. Acknowledgement Okta would like to thank Andreas Forsblom for discovering this vulnerability.
Status	Published
Exploitability	0.5
Weighted Severity	9.0
Risk	4.5
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-502	Deserialization of Untrusted Data
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00164	https://api.first.org/data/v1/epss?cve=CVE-2025-48951
epss	0.00164	https://api.first.org/data/v1/epss?cve=CVE-2025-48951
epss	0.00164	https://api.first.org/data/v1/epss?cve=CVE-2025-48951
epss	0.00164	https://api.first.org/data/v1/epss?cve=CVE-2025-48951
epss	0.00164	https://api.first.org/data/v1/epss?cve=CVE-2025-48951
cvssv3.1_qr	CRITICAL	https://github.com/advisories/GHSA-v9m8-9xxp-q492
cvssv4	9.3	https://github.com/auth0/auth0-PHP
generic_textual	CRITICAL	https://github.com/auth0/auth0-PHP
cvssv4	9.3	https://github.com/auth0/auth0-PHP/commit/04b1f5daa8bdfebc5e740ec5ca0fb2df1648a715
generic_textual	CRITICAL	https://github.com/auth0/auth0-PHP/commit/04b1f5daa8bdfebc5e740ec5ca0fb2df1648a715
ssvc	Track	https://github.com/auth0/auth0-PHP/commit/04b1f5daa8bdfebc5e740ec5ca0fb2df1648a715
cvssv3.1_qr	CRITICAL	https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492
cvssv4	9.3	https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492
generic_textual	CRITICAL	https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492
ssvc	Track	https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492
cvssv4	9.3	https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q
generic_textual	CRITICAL	https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q
ssvc	Track	https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q
cvssv4	9.3	https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34
generic_textual	CRITICAL	https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34
ssvc	Track	https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34
cvssv4	9.3	https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r
generic_textual	CRITICAL	https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r
ssvc	Track	https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r
cvssv4	9.3	https://nvd.nist.gov/vuln/detail/CVE-2025-48951
generic_textual	CRITICAL	https://nvd.nist.gov/vuln/detail/CVE-2025-48951

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2025-48951
		https://github.com/auth0/auth0-PHP
		https://github.com/auth0/auth0-PHP/commit/04b1f5daa8bdfebc5e740ec5ca0fb2df1648a715
CVE-2025-48951		https://nvd.nist.gov/vuln/detail/CVE-2025-48951
GHSA-862m-5253-832r		https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r
GHSA-98j6-67v3-mw34		https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34
GHSA-c42h-56wx-h85q		https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q
GHSA-v9m8-9xxp-q492		https://github.com/advisories/GHSA-v9m8-9xxp-q492
GHSA-v9m8-9xxp-q492		https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492

No exploits are available.

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H Found at https://github.com/auth0/auth0-PHP

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H Found at https://github.com/auth0/auth0-PHP/commit/04b1f5daa8bdfebc5e740ec5ca0fb2df1648a715

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-04T13:33:17Z/ Found at https://github.com/auth0/auth0-PHP/commit/04b1f5daa8bdfebc5e740ec5ca0fb2df1648a715

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H Found at https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-04T13:33:17Z/ Found at https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H Found at https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-04T13:33:17Z/ Found at https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H Found at https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-04T13:33:17Z/ Found at https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H Found at https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-04T13:33:17Z/ Found at https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-48951

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.37155
EPSS Score	0.00164
Published At	June 5, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-04T16:24:06.724463+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/auth0/auth0-php/CVE-2025-48951.yml	38.6.0