DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-GHC5-95C2-VWCV: GHSA-GHC5-95C2-VWCV: Insufficient Entropy in Cookie Encryption within Auth0 Symfony SDK

#security #cve #cybersecurity #ghsa

GHSA-GHC5-95C2-VWCV: Insufficient Entropy in Cookie Encryption within Auth0 Symfony SDK

Vulnerability ID: GHSA-GHC5-95C2-VWCV
CVSS Score: 8.2
Published: 2026-04-03

The Auth0 Symfony SDK (versions 5.0.0 through 5.7.0) is vulnerable to an insufficient entropy flaw in its cookie encryption implementation, stemming from the underlying auth0/auth0-php library. This allows an attacker to brute-force session keys and forge valid authentication cookies.

TL;DR

Insufficient entropy in Auth0 Symfony SDK cookie encryption allows attackers to brute-force session keys and forge authentication cookies, leading to full account takeover.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability ID: GHSA-GHC5-95C2-VWCV
  • Mapped CVE: CVE-2026-34236
  • CWE ID: CWE-331 (Insufficient Entropy)
  • CVSS v3.1 Score: 8.2 (High)
  • Attack Vector: Network
  • Attack Complexity: High
  • Primary Impact: Account Takeover via Session Forgery

Affected Systems

  • Auth0 Symfony SDK (auth0/symfony)
  • Auth0 PHP SDK (auth0/auth0-php)
  • Symfony Applications implementing Auth0 session management
  • auth0/symfony: >= 5.0.0, <= 5.7.0 (Fixed in: 5.8.0)
  • auth0/auth0-php: >= 8.0.0, < 8.19.0 (Fixed in: 8.19.0)

Mitigation Strategies

  • Upgrade SDKs to secure versions
  • Rotate cryptographic secrets
  • Invalidate active sessions

Remediation Steps:

  1. Update composer.json to require 'auth0/symfony' version 5.8.0 or higher.
  2. Ensure the composer lock file enforces 'auth0/auth0-php' version 8.19.0 or higher.
  3. Deploy the updated dependencies to all environments.
  4. Generate a new, cryptographically secure random string to serve as the cookie encryption key.
  5. Update the application configuration with the new encryption key.
  6. Restart the application services to enforce the use of the new key and invalidate existing sessions.

References

Read the full report for GHSA-GHC5-95C2-VWCV on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)