Improper Audience Validation in Auth0-PHP SDK by Auth0
CVE-2025-68129

6.8MEDIUM

Key Information:

Vendor

WordPress
Status
Auth0-PHP
Vendor
CVE Published:
17 December 2025

What is CVE-2025-68129?

The Auth0-PHP SDK, utilized for handling authentication and management APIs, has a flaw where audience validation in access tokens is executed improperly. This vulnerability permits affected applications to mistakenly accept ID tokens as access tokens, which can expose them to unauthorized access risks. Applications leveraging the Auth0-PHP SDK versions 8.0.0 through 8.17.0, and its related SDKs such as Auth0/symfony, Auth0/laravel-auth0, and Auth0/wordpress, are impacted. Users are encouraged to upgrade to Auth0-PHP version 8.18.0, which resolves this critical issue.

Affected Version(s)

auth0-PHP >= 8.0.0, < 8.18.0

References

https://github.com/auth0/auth0-PHP/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/auth0/laravel-auth0/security/advisorie...
x_refsource_MISC
https://github.com/auth0/symfony/security/advisories/GHSA...
x_refsource_MISC

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-68129 : Improper Audience Validation in Auth0-PHP SDK by Auth0