CVE-2025-47275

CRITICAL9.1EPSS 0.08%

Auth0 Symfony SDK Vulnerable to Brute Force Authentication Tags of CookieStore Sessions

發布日:2025/5/17修改日:2026/2/5

描述

**Overview** Session cookies of applications using the Auth0 symfony SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. **Am I Affected?** You are affected by this vulnerability if you meet the following pre-conditions: 1. Applications using the Auth0 symfony SDK with version <=5.3.1 2. Auth0/Symfony SDK uses the Auth0-PHP SDK with version 8.0.0-BETA1 or higher and below 8.14.0. 3. Session storage configured with CookieStore. **Fix** Upgrade Auth0/symfony to v5.4.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected. **Acknowledgement** Okta would like to thank Félix Charette for discovering this vulnerability.

受影響套件(4)

Packagist/auth0/auth0-php>= 8.0.0-BETA1, < 8.14.0
Packagist/auth0/loginfrom 0, < 7.17.0
Packagist/auth0/symfonyfrom 0, < 5.4.0
Packagist/auth0/wordpressfrom 0, < 5.3.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

描述

受影響套件(4)

CVSS 分數

參考連結(17)