How to fix EUVD-2025-16787?

Within 24 hours: Inventory all applications using Auth0-PHP SDK and affected downstream SDKs (Symfony, Laravel, WordPress); assess which are running vulnerable versions 8.0.0-BETA3 to 8.14.0; implement network-level cookie validation rules. Within 7 days: Apply the available patch to upgrade Auth0-PHP SDK to version 8.3.1 or later, including corresponding updates to dependent SDKs; conduct testing in non-production environments first. Within 30 days: Validate all systems are patched in production; review authentication logs for suspicious cookie activity during the vulnerability window; conduct security awareness training on the incident.

Is Deserialization affected by EUVD-2025-16787?

A critical vulnerability in Auth0-PHP SDK versions 8.0.0-BETA3 through 8.14.0 allows attackers to execute arbitrary code by sending malicious serialized data via cookies, bypassing authentication entirely.

EUVD-2025-16787

| CVE-2025-48951 CRITICAL

2025-06-03 [email protected]

GHSA-v9m8-9xxp-q492

9.3

CVSS 4.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 14, 2026 - 17:04 euvd

EUVD-2025-16787

Analysis Generated

Mar 14, 2026 - 17:04 vuln.today

CVE Published

Jun 03, 2025 - 21:15 nvd

CRITICAL 9.3

Description

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Applications using the Auth0-PHP SDK are affected, as are applications using the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs, because those SDKsrely on the Auth0-PHP SDK versions from 8.0.0-BETA3 until 8.14.0. Version 8.3.1 contains a patch for the issue.

Analysis

Insecure deserialization in Auth0-PHP SDK 8.0.0-BETA3 to before 8.3.1.

Technical Context

CWE-502.

Affected Products

['Auth0-PHP 8.0.0-BETA3 - 8.3.0']

Remediation

Update to 8.3.1.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +46

POC: 0

EUVD-2025-16787 vulnerability details – vuln.today

Back

EUVD-2025-16787

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

EUVD-2025-16787

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code