cookie_oauth_client_class ::Unserialize() works on a untrusted string supplied by the browser. its a decrypted string with 3DES but still its a user supplied string.
3DES is a encryption which was broken in 2016.
calling unserialize() on user supplied string is a well known security vulnerability. it can be misused to do 'Object Injection'.
thats one of the top 10 vulnerabilities within the OWASP report from 2017, see A8 on https://www.owasp.org/index.php/Top_10-2017_Top_10
in case we could use e.g. json_encode() or similar this vulnerability would go away
see also https://www.google.de/search?q=php+serialize+vulnerability