What is the CVSS score of EUVD-2025-16787?

EUVD-2025-16787 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H. EPSS exploitation probability: 0.1%.

Which versions of PHP are affected by EUVD-2025-16787?

A critical vulnerability in Auth0-PHP SDK versions 8.0.0-BETA3 through 8.14.0 allows attackers to execute arbitrary code by sending malicious serialized data via cookies, bypassing authentication…. A patch is available.

How to fix or mitigate EUVD-2025-16787?

Within 24 hours: Inventory all applications using Auth0-PHP SDK and affected downstream SDKs (Symfony, Laravel, WordPress); assess which are running vulnerable versions 8.0.0-BETA3 to 8.14.0; implement network-level cookie validation rules. Within 7 days: Apply the available patch to upgrade Auth0-PHP SDK to version 8.3.1 or later, including corresponding updates to dependent SDKs; conduct testing in non-production environments first. Within 30 days: Validate all systems are patched in production; review authentication logs for suspicious cookie activity during the vulnerability window; conduct security awareness training on the incident.

PHP EUVD-2025-16787

| CVE-2025-48951 CRITICAL

Deserialization of Untrusted Data (CWE-502)

2025-06-03 security-advisories@github.com

GHSA-v9m8-9xxp-q492

Deserialization PHP RCE

9.3

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.3 CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 14, 2026 - 17:04 euvd

EUVD-2025-16787

Analysis Generated

Mar 14, 2026 - 17:04 vuln.today

CVE Published

Jun 03, 2025 - 21:15 nvd

CRITICAL 9.3

DescriptionGitHub Advisory

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Applications using the Auth0-PHP SDK are affected, as are applications using the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs, because those SDKsrely on the Auth0-PHP SDK versions from 8.0.0-BETA3 until 8.14.0. Version 8.3.1 contains a patch for the issue.