Skip to content

Commit 574985b

Browse files
1 parent 0d33bad commit 574985b

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

advisories/github-reviewed/2025/05/GHSA-g98g-r7gf-2r25/GHSA-g98g-r7gf-2r25.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,12 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-g98g-r7gf-2r25",
4-
"modified": "2025-05-16T17:48:55Z",
4+
"modified": "2025-05-22T20:03:15Z",
55
"published": "2025-05-16T17:48:55Z",
66
"aliases": [
77
"CVE-2025-47275"
88
],
9-
"summary": "Forgeable Encrypted Session Cookie in Apps Using Auth0-PHP SDK",
9+
"summary": "Brute Force Authentication Tags of CookieStore Sessions in Auth0-PHP SDK",
1010
"details": "**Overview**\nSession cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access.\n\n**Am I Affected?**\nYou are affected by this vulnerability if you meet the following pre-conditions:\n1. Applications using the Auth0-PHP SDK, or the following SDKs that rely on the Auth0-PHP SDK:\n a. Auth0/symfony,\n b. Auth0/laravel-auth0,\n c. Auth0/wordpress,\n2. Session storage configured with CookieStore.\n\n**Fix**\nUpgrade Auth0/Auth0-PHP to v8.14.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected.\n\n**Acknowledgement**\nOkta would like to thank Félix Charette for discovering this vulnerability.",
1111
"severity": [
1212
{

0 commit comments

Comments
 (0)