GHSA-ghc5-95c2-vwcv: Auth0 Symfony SDK has Insufficient Entropy in Cookie Encryption

April 3, 2026

In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies.

References

github.com/advisories/GHSA-ghc5-95c2-vwcv
github.com/auth0/symfony
github.com/auth0/symfony/security/advisories/GHSA-ghc5-95c2-vwcv

Code Behaviors & Features

Detect and mitigate GHSA-ghc5-95c2-vwcv with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →