CVE-2025-48951: Critical Deserialization Flaw in Auth0 PHP SDK Threatens Millions of Applications

A newly disclosed vulnerability in the Auth0 PHP SDK—a widely-used authentication toolkit with over 16 million downloads—poses a critical threat to web applications that rely on social and enterprise identity integration. The flaw, tracked as CVE-2025-48951, has received a CVSS score of 9.3, classifying it as critical.

“The Auth0 PHP SDK contains a vulnerability due to insecure deserialization of cookie data… a threat actor could send a specially crafted cookie containing malicious serialized data,” the advisory explains.

This flaw impacts versions 8.0.0-BETA3 through 8.3.0 of the SDK and all dependent frameworks, including:

• auth0/symfony
• auth0/laravel-auth0
• auth0/wordpress

The vulnerability stems from how the SDK handles cookie data prior to authentication. Malicious actors could exploit this by sending tampered cookies containing serialized payloads that trigger arbitrary code execution or disrupt application logic—all without needing valid credentials.

“Since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie…,” the advisory writes.

In applications where cookies are not properly isolated or verified, this flaw opens a door to remote code execution (RCE) and data compromise—making it a prime target for attackers in the wild.

You’re affected if:

1. You’re using auth0/auth0-php between v8.0.0-BETA3 and v8.3.0.
2. Your application uses other SDKs that depend on these versions:
   • auth0/symfony
   • auth0/laravel-auth0
   • auth0/wordpress

Remediation is to upgrade Auth0/Auth0-PHP to the version v8.14.0 or later. This patched version ensures that serialized cookie data is validated securely before processing.

Related Posts:

• Auth0 authentication bypass flaws put 2,000 enterprises at risks
• CVE-2025-48947: Session Cookies at Risk in Auth0 Next.js SDK