GHSA-9fwj-9mjf-rhj3

Source

https://github.com/advisories/GHSA-9fwj-9mjf-rhj3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-9fwj-9mjf-rhj3/GHSA-9fwj-9mjf-rhj3.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-9fwj-9mjf-rhj3

Related

CVE-2025-47275

Published

2025-05-17T15:07:55Z

Modified

2025-05-17T15:35:06.401177Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

laravel-auth0 SDK Vulnerable to Brute Force Authentication Tags of CookieStore Sessions

Details

Overview Session cookies of applications using the laravel-auth0 SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access.

Am I Affected? You are affected by this vulnerability if you meet the following pre-conditions: 1. Applications using laravel-auth0 SDK with version <=7.16.0 2. laravel-auth0 SDK uses the Auth0-PHP SDK with version 8.0.0-BETA1 or higher and below 8.14.0.
3. Session storage configured with CookieStore.

Fix Upgrade Auth0/laravel-auth0 to v7.17.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected.

Acknowledgement Okta would like to thank Félix Charette for discovering this vulnerability.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-287"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-17T15:07:55Z"
}

References

Affected packages

Packagist / auth0/login

Package

Name: auth0/login
Purl: pkg:composer/auth0/login

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.17.0

Affected versions

1.*

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

2.*

2.0.0

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.2.0

2.2.1

2.3.0

2.3.1

2.3.2

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.1.0

3.2.0

3.2.1

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.0.8

5.*

5.0.0

5.0.1

5.0.2

5.1.0

5.2.0

5.3.0

5.3.1

5.4.0

6.*

6.0.0

6.0.1

6.1.0

6.2.0

6.3.0

6.4.0

6.4.1

6.5.0

7.*

7.0.0-BETA1

7.0.0-BETA2

7.0.0

7.0.1

7.1.0

7.2.0

7.2.1

7.2.2

7.3.0

7.4.0

7.5.0

7.5.1

7.5.2

7.6.0

7.7.0

7.8.0

7.8.1

7.9.0

7.9.1

7.10.0

7.10.1

7.11.0

7.12.0

7.13.0

7.14.0

7.15.0

7.16.0