Merge branch 'main' into feature/m2m_quota

Author: kishore7snehil

.version

@@ -1 +1 @@
-8.13.0
+8.14.0

CHANGELOG.md

@@ -1,5 +1,12 @@
 # Change Log
 
+## [8.14.0](https://github.com/auth0/auth0-PHP/tree/8.14.0) (2025-05-16)
+[Full Changelog](https://github.com/auth0/auth0-PHP/compare/8.13.0...8.14.0)
+
+**Fixed**
+
+- Security fix: Resolve CVE-2025-47275
+
 ## [8.13.0](https://github.com/auth0/auth0-PHP/tree/8.13.0) (2024-11-15)
 [Full Changelog](https://github.com/auth0/auth0-PHP/compare/8.12.0...8.13.0)
 

src/Auth0.php

@@ -21,7 +21,7 @@ final class Auth0 implements Auth0Interface
     /**
      * @var string
      */
-    public const VERSION = '8.13.0';
+    public const VERSION = '8.14.0';
 
     /**
      * Authentication Client.

src/Store/CookieStore.php

@@ -13,6 +13,7 @@
 use function is_array;
 use function is_int;
 use function is_string;
+use function strlen;
 
 /**
  * This class provides a layer to persist transient auth data using cookies.
@@ -39,6 +40,11 @@ final class CookieStore implements StoreInterface
      */
     public const VAL_CRYPTO_ALGO = 'aes-128-gcm';
 
+    /**
+     * @var int
+     */
+    public const VAL_CRYPTO_TAG_LENGTH_BYTES = 16;
+
     /**
      * When true, CookieStore will not setState() itself. You will need manually call the method to persist state to storage.
      */
@@ -123,7 +129,7 @@ public function decrypt(
         $iv = base64_decode($data['iv'], true);
         $tag = base64_decode($data['tag'], true);
 
-        if (! is_string($iv) || ! is_string($tag)) {
+        if (! is_string($iv) || ! is_string($tag) || self::VAL_CRYPTO_TAG_LENGTH_BYTES !== strlen($tag)) {
             return null;
         }