CVE-2025-68129

MEDIUM

Auth0-php < 8.18.0 - Incorrect Authorization

Title source: rule
STIX 2.1

Description

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Projects are affected if they use Auth0-PHP SDK versions between v8.0.0 and v8.17.0, or applications using the following SDKs that rely on the Auth0-PHP SDK versions between v8.0.0 and v8.17.0: Auth0/symfony versions between 5.0.0 and 5.5.0, Auth0/laravel-auth0 versions between 7.0.0 and 7.19.0, and/or Auth0/wordpress plugin versions between 5.0.0-BETA0 and 5.4.0. Auth0/Auth0-PHP version 8.18.0 contains a patch for the issue.

References (12)

Core 12
Core References

Scores

CVSS v3 6.8
EPSS 0.0012
EPSS Percentile 31.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-863
Status published
Products (5)
auth0/auth0-php 8.0.0 - 8.18.0Packagist
auth0/auth0-php 8.0.0 - 8.18.0
auth0/laravel-auth0 7.0.0 - 7.20.0
auth0/symfony 5.0.0 - 5.6.0
auth0/wp-auth0 5.0.0 - 5.5.0
Published Dec 17, 2025
Tracked Since Feb 18, 2026