CVE-2025-58769

LOW

Auth0-PHP <8.16.0 - Path Traversal

Title source: llm

Description

auth0-PHP is an SDK for Auth0 Authentication and Management APIs. In versions 3.3.0 through 8.16.0, the Bulk User Import endpoint in applications built with the SDK does not validate the file-path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. The vulnerability affects any application that either directly uses the Auth0-PHP SDK (versions 3.3.0–8.16.0) or indirectly relies on those versions through the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs. This issue is fixed in version 8.17.0.

References (6)

[Vendor Advisory] https://github.com/auth0/laravel-auth0/security/advisories/GHSA-hjfh-5jmm-xr24

[Vendor Advisory] https://github.com/auth0/auth0-PHP/security/advisories/GHSA-9mh6-g99m-ppcw

[Vendor Advisory] https://github.com/auth0/symfony/security/advisories/GHSA-7jp2-5h22-m432

[Vendor Advisory] https://github.com/auth0/wordpress/security/advisories/GHSA-w22c-pw5m-482x

[Patch] https://github.com/auth0/auth0-PHP/commit/9026da58f5c381cd4cb5932de829eff6eacbb65c

View Patch ZIP pw:eip

[Release Notes] https://github.com/auth0/auth0-PHP/releases/tag/8.17.0

Scores

CVSS v3 3.3

EPSS 0.0009

EPSS Percentile 25.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-22 CWE-73

Status published

Products (2)

auth0/auth0-php 3.3.0 - 8.17.0Packagist

auth0/laravel-auth0 >= 3.3.0, < 8.17.0

Published Oct 01, 2025

Tracked Since Feb 18, 2026