CVE-2025-58769
LOWauth0-php 3.3.0-8.16.0 - Path Traversal via Bulk User Import Endpoint
Title source: llmDescription
auth0-PHP is an SDK for Auth0 Authentication and Management APIs. In versions 3.3.0 through 8.16.0, the Bulk User Import endpoint in applications built with the SDK does not validate the file-path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. The vulnerability affects any application that either directly uses the Auth0-PHP SDK (versions 3.3.0–8.16.0) or indirectly relies on those versions through the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs. This issue is fixed in version 8.17.0.
References (6)
Core 6
Core References
Vendor Advisory x_refsource_confirm
https://github.com/auth0/laravel-auth0/security/advisories/GHSA-hjfh-5jmm-xr24
Vendor Advisory x_refsource_misc
https://github.com/auth0/auth0-PHP/security/advisories/GHSA-9mh6-g99m-ppcw
Vendor Advisory x_refsource_misc
https://github.com/auth0/symfony/security/advisories/GHSA-7jp2-5h22-m432
Vendor Advisory x_refsource_misc
https://github.com/auth0/wordpress/security/advisories/GHSA-w22c-pw5m-482x
Patch x_refsource_misc
https://github.com/auth0/auth0-PHP/commit/9026da58f5c381cd4cb5932de829eff6eacbb65c
Release Notes x_refsource_misc
https://github.com/auth0/auth0-PHP/releases/tag/8.17.0
Scores
CVSS v3
3.3
EPSS
0.0033
EPSS Percentile
24.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
CWE-73
Status
published
Products (2)
auth0/auth0-php
3.3.0 - 8.17.0Packagist
auth0/laravel-auth0
>= 3.3.0, < 8.17.0
Published
Oct 01, 2025
Tracked Since
Feb 18, 2026