Vulnerability Database
299,184
Total vulnerabilities in the database
CVE-2025-58769
Overview
In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs.
Am I affected?
You are affected by this vulnerability if you meet the following preconditions:
- Applications using the Auth0-PHP SDK, versions between v3.3.0 and v8.16.0, or
- Applications using the following SDKs that rely on the Auth0-PHP SDK versions between v3.3.0 and v8.16.0: a. Auth0/symfony, b. Auth0/laravel-auth0, c. Auth0/wordpress.
Fix
Upgrade Auth0/Auth0-PHP to version 8.17.0 or greater.
Acknowledgement
Okta would like to thank Mohamed Amine Saidani (pwni) for discovering this vulnerability.
| Software | From | Fixed in |
|---|---|---|
auth0 / auth0-php
|
3.3.0 | 8.17.0 |
- https://github.com/auth0/auth0-PHP/commit/9026da58f5c381cd4cb5932de829eff6eacbb65c
- https://github.com/auth0/auth0-PHP/releases/tag/8.17.0
- https://github.com/auth0/auth0-PHP/security/advisories/GHSA-9mh6-g99m-ppcw
- https://github.com/auth0/laravel-auth0/security/advisories/GHSA-hjfh-5jmm-xr24
- https://github.com/auth0/symfony/security/advisories/GHSA-7jp2-5h22-m432
- https://github.com/auth0/wordpress/security/advisories/GHSA-w22c-pw5m-482x
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime