File Path Validation Issue in Auth0-PHP SDK by Auth0
CVE-2025-58769

3.3LOW

Key Information:

Vendor

WordPress
Status
Laravel-auth0
Vendor
CVE Published:
1 October 2025

What is CVE-2025-58769?

The Auth0-PHP SDK experiences a significant vulnerability in versions 3.3.0 through 8.16.0, where the Bulk User Import endpoint fails to properly validate file-path wrappers or their values. This oversight allows applications leveraging the SDK to potentially accept arbitrary file paths or URLs, posing security risks. Affected applications include those directly utilizing Auth0-PHP or indirectly relying on its functionalities via Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs. Users should upgrade to version 8.17.0 to mitigate this issue.

Affected Version(s)

laravel-auth0 >= 3.3.0, < 8.17.0

References

https://github.com/auth0/laravel-auth0/security/advisorie...
x_refsource_CONFIRM
https://github.com/auth0/auth0-PHP/security/advisories/GH...
x_refsource_MISC
https://github.com/auth0/symfony/security/advisories/GHSA...
x_refsource_MISC

CVSS V3.1

Score:
3.3
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-58769 : File Path Validation Issue in Auth0-PHP SDK by Auth0