The vulnerability (CVE-2025-48951 / GHSA-v9m8-9xxp-q492) is a Deserialization of Untrusted Data (CWE-502) in the Auth0-PHP SDK, specifically within the CookieStore class. The root cause was the use of PHP's unserialize() function in the Auth0\SDK\Store\CookieStore::decrypt() method. This method was tasked with processing data read from cookies.

The Auth0\SDK\Store\CookieStore::getState() method is responsible for fetching raw cookie data from the $_COOKIE superglobal. It would concatenate relevant cookie parts and then pass this combined string to the decrypt() method.

Inside decrypt(), before the patch, this cookie-derived string was subjected to unserialize() at multiple points: once to parse an outer structure (if encrypted, this structure contained elements like an initialization vector, a tag, and the encrypted data itself) and again to deserialize the core data payload (either after decryption or directly if encryption was not used).

An attacker could craft a malicious cookie containing a specially serialized PHP object. When getState() read this cookie and passed its content to decrypt(), the unserialize() calls would then attempt to instantiate this malicious object. If a suitable PHP class (a "gadget") was available in the application's class path that could be misused upon deserialization (e.g., via magic methods like __wakeup() or __destruct()), this could lead to various impacts, including remote code execution, data exposure, or denial of service.

The patch addressed this by completely removing the usage of serialize() and unserialize(). Instead, json_encode() is now used for preparing data for cookie storage (in the encrypt method, which was also modified) and json_decode() (with true for associative arrays) is used in the decrypt() method for safely parsing the cookie data. Additionally, setrawcookie() is used instead of setcookie() to prevent unintended URL encoding/decoding issues with the cookie values. This ensures that only simple data structures are processed, mitigating the risk of object injection.