CVE-2025-58769: auth0-PHP SDK Does Not Properly Handle File Types in Bulk User Import
Overview
In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs.
Am I affected?
You are affected by this vulnerability if you meet the following preconditions:
- Applications using the Auth0-PHP SDK, versions between v3.3.0 and v8.16.0, or
- Applications using the following SDKs that rely on the Auth0-PHP SDK versions between v3.3.0 and v8.16.0: a. Auth0/symfony, b. Auth0/laravel-auth0, c. Auth0/wordpress.
Fix
Upgrade Auth0/Auth0-PHP to version 8.17.0 or greater.
Acknowledgement
Okta would like to thank Mohamed Amine Saidani (pwni) for discovering this vulnerability.
References
- github.com/advisories/GHSA-9mh6-g99m-ppcw
- github.com/auth0/auth0-PHP
- github.com/auth0/auth0-PHP/commit/9026da58f5c381cd4cb5932de829eff6eacbb65c
- github.com/auth0/auth0-PHP/releases/tag/8.17.0
- github.com/auth0/auth0-PHP/security/advisories/GHSA-9mh6-g99m-ppcw
- github.com/auth0/laravel-auth0/security/advisories/GHSA-hjfh-5jmm-xr24
- github.com/auth0/symfony/security/advisories/GHSA-7jp2-5h22-m432
- github.com/auth0/wordpress/security/advisories/GHSA-w22c-pw5m-482x
- nvd.nist.gov/vuln/detail/CVE-2025-58769
Code Behaviors & Features
Detect and mitigate CVE-2025-58769 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →