CVE-2025-48951 - Insecure Deserialization in Auth-PHP SDK — How Malicious Cookies Can Compromise Your PHP App

A serious vulnerability (CVE-2025-48951) has been discovered in Auth-PHP, an SDK used for authentication and user management with Auth. If your app uses Auth-PHP versions from 8..-BETA3 up to but not including 8.3.1, you could be wide open to account takeovers and remote code execution with just a single poisoned cookie.

This issue doesn’t only affect users of the core Auth-PHP SDK — it extends to all projects relying on it as a dependency, including:

- auth/symfony
- auth/laravel-auth
- auth/wordpress

Let’s walk through why this vulnerability is dangerous, how it works, real code examples, and how you can fix or protect yourself.

What Is CVE-2025-48951?

In PHP, serialization is a technique to turn complex data (like arrays, objects) into a string that can easily be saved or sent — often as a cookie. Deserialization turns that string back into PHP data for use in your code.

The Problem:
In Auth-PHP < 8.3.1, the SDK took certain cookie data and unserialized it without properly checking what was in that cookie. Anyone (even not logged-in users) could send in a crafted, malicious cookie to make your app run arbitrary PHP code or inject malicious data.

---

A simplified example from inside the SDK (before the patch)

if (isset($_COOKIE['auth_session'])) {
    // WARNING: This code deserializes directly from user input!
    $sessionData = unserialize($_COOKIE['auth_session']);
}

What’s wrong?
The unserialize() function is dangerous with user data, since attackers can create serialized payloads that instantiate arbitrary PHP objects—potentially triggering code via destructors or magic methods.

Exploiting the Vulnerability

An attacker can generate a malicious payload if they know of a PHP class within your app or a dependency that contains a dangerous __wakeup() or __destruct() method (for example, writing files, deleting data, running system commands).

Suppose we find a class like this

class Evil {
    public function __wakeup() {
        // Run arbitrary code here
        system('touch /tmp/owned_by_hacker');
    }
}

We can create a payload in PHP like

// Malicious cookie value:
$payload = serialize(new Evil());
echo urlencode($payload);
// Output: O:4:"Evil"::{}
// Attacker sets Cookie: auth_session=O%3A4%3A%22Evil%22%3A%3A%7B%7D

Am I Affected?

You are at risk if you use any of these packages and your composer.lock references Auth-PHP lower than 8.3.1:

- auth/auth-php
- auth/symfony
- auth/laravel-auth
- auth/wordpress

To check:
Look in your composer.lock or composer.json files.

composer show auth/auth-php

How Was This Fixed?

In version 8.3.1, the Auth-PHP maintainers added robust checks to prevent unsafe deserialization, for example removing direct uses of unserialize() on any cookie data.

View the diff or see the official advisory

Upgrade auth/auth-php to version 8.3.1 or higher

composer require auth/auth-php:^8.3.1

And also update any framework packages, e.g.

composer update auth/symfony
composer update auth/laravel-auth
composer update auth/wordpress

2. Block Malicious Cookies

Until you can patch, consider blocking malicious cookies or disabling auth cookies if not needed (see your framework docs).

3. Detect Exploitation

Review server logs for strange auth_session cookie inputs or unexpected code execution.

References

- Auth-PHP Security Advisory (GitHub)
- NVD Entry for CVE-2025-48951
- PHP Secure Deserialization

Conclusion

CVE-2025-48951 is a classic example of why you should never trust cookie data, and why deserialization is a prime target for attackers. If your PHP app’s user authentication runs through Auth, check your SDK version now and patch as soon as possible.

Timeline

Published on: 06/03/2025 21:15:21 UTC
Last modified on: 06/04/2025 21:15:40 UTC