GHSA-9WG9-93H9-J8CH
Vulnerability from github – Published: 2025-05-17 15:06 – Updated: 2025-05-17 15:06Overview Session cookies of applications using the Auth0 symfony SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access.
Am I Affected? You are affected by this vulnerability if you meet the following pre-conditions: 1. Applications using the Auth0 symfony SDK with version <=5.3.1 2. Auth0/Symfony SDK uses the Auth0-PHP SDK with version 8.0.0-BETA1 or higher and below 8.14.0. 3. Session storage configured with CookieStore.
Fix Upgrade Auth0/symfony to v5.4.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected.
Acknowledgement Okta would like to thank Félix Charette for discovering this vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "auth0/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-17T15:06:54Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "**Overview**\nSession cookies of applications using the Auth0 symfony SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access.\n\n**Am I Affected?**\nYou are affected by this vulnerability if you meet the following pre-conditions:\n1. Applications using the Auth0 symfony SDK with version \u003c=5.3.1\n2. Auth0/Symfony SDK uses the Auth0-PHP SDK with version 8.0.0-BETA1 or higher and below 8.14.0. \n3. Session storage configured with CookieStore.\n\n\n**Fix**\nUpgrade Auth0/symfony to v5.4.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected.\n\n**Acknowledgement**\nOkta would like to thank F\u00e9lix Charette for discovering this vulnerability.",
"id": "GHSA-9wg9-93h9-j8ch",
"modified": "2025-05-17T15:06:54Z",
"published": "2025-05-17T15:06:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/auth0/symfony/security/advisories/GHSA-9wg9-93h9-j8ch"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47275"
},
{
"type": "WEB",
"url": "https://github.com/auth0/symfony/commit/9a7294f08a32f17a0e77c8522a648195b6940340"
},
{
"type": "PACKAGE",
"url": "https://github.com/auth0/symfony"
},
{
"type": "WEB",
"url": "https://github.com/auth0/symfony/releases/tag/5.4.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Auth0 Symfony SDK Vulnerable to Brute Force Authentication Tags of CookieStore Sessions"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.