Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-47275— Brute Force Authentication Tags of CookieStore Sessions in Auth0-PHP SDK

CVSS 9.1 · Critical EPSS 0.08% · P24
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-47275

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Brute Force Authentication Tags of CookieStore Sessions in Auth0-PHP SDK
Source: NVD (National Vulnerability Database)
Vulnerability Description
Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Starting in version 8.0.0-BETA1 and prior to version 8.14.0, session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. Certain pre-conditions are required to be vulnerable to this issue: Applications using the Auth0-PHP SDK, or the Auth0/symfony, Auth0/laravel-auth0, and Auth0/wordpress SDKs that rely on the Auth0-PHP SDK; and session storage configured with CookieStore. Upgrade Auth0/Auth0-PHP to v8.14.0 to receive a patch. As an additional precautionary measure, rotating cookie encryption keys is recommended. Note that once updated, any previous session cookies will be rejected.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
认证机制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Auth0-PHP 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Auth0-PHP是Auth0开源的一个用于Auth0身份验证和管理API的PHP SDK。 Auth0-PHP 8.0.0-BETA1至8.14.0之前版本存在授权问题漏洞,该漏洞源于CookieStore中的会话cookie可被暴力破解,可能导致未经授权访问。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Shenlong Deep Dive — AI Deep Analysis

10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.

Read summary Full analysis (login)

Affected Products

VendorProductAffected VersionsCPESubscribe
auth0auth0-PHP >= 8.0.0-BETA1, < 8.14.0 -

II. Public POCs for CVE-2025-47275

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2025-47275

登录查看更多情报信息。

IV. Related Vulnerabilities

Same product: auth0-PHP
Same vendor: auth0
Same weakness: CWE-287

V. Comments for CVE-2025-47275

No comments yet

Leave a comment