CVE-2025-58769

auth0-PHP is an SDK for Auth0 Authentication and Management APIs. In versions 3.3.0 through 8.16.0, the Bulk User Import endpoint in applications built with the SDK does not validate the file-path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. The vulnerability affects any application that either directly uses the Auth0-PHP SDK (versions 3.3.0–8.16.0) or indirectly relies on those versions through the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs. This issue is fixed in version 8.17.0.

CVSS v3 3.3 LOW

3.3^/10

CVSS v3 : LOW

Vector :

Exploitability : 0.7 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/auth0/auth0-PHP/commit/9026da58f5c381cd4cb5932de829eff6eacbb65c
https://github.com/auth0/auth0-PHP/releases/tag/8.17.0
https://github.com/auth0/auth0-PHP/security/advisories/GHSA-9mh6-g99m-ppcw
https://github.com/auth0/laravel-auth0/security/advisories/GHSA-hjfh-5jmm-xr24
https://github.com/auth0/symfony/security/advisories/GHSA-7jp2-5h22-m432
https://github.com/auth0/wordpress/security/advisories/GHSA-w22c-pw5m-482x

Configurations

No configuration.

History

01 Oct 2025, 20:18

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-10-01 20:18

Updated : 2025-10-02 19:11

NVD link : CVE-2025-58769

Mitre link : CVE-2025-58769

CVE.ORG link : CVE-2025-58769

JSON object : View

Products Affected

No product.

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-73

External Control of File Name or Path

{"id": "CVE-2025-58769", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 0.7}]}, "published": "2025-10-01T20:18:38.077", "references": [{"url": "https://github.com/auth0/auth0-PHP/commit/9026da58f5c381cd4cb5932de829eff6eacbb65c", "source": "security-advisories@github.com"}, {"url": "https://github.com/auth0/auth0-PHP/releases/tag/8.17.0", "source": "security-advisories@github.com"}, {"url": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-9mh6-g99m-ppcw", "source": "security-advisories@github.com"}, {"url": "https://github.com/auth0/laravel-auth0/security/advisories/GHSA-hjfh-5jmm-xr24", "source": "security-advisories@github.com"}, {"url": "https://github.com/auth0/symfony/security/advisories/GHSA-7jp2-5h22-m432", "source": "security-advisories@github.com"}, {"url": "https://github.com/auth0/wordpress/security/advisories/GHSA-w22c-pw5m-482x", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-73"}]}], "descriptions": [{"lang": "en", "value": "auth0-PHP is an SDK for Auth0 Authentication and Management APIs. In versions 3.3.0 through 8.16.0, the Bulk User Import endpoint in applications built with the SDK does not validate the file-path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. The vulnerability affects any application that either directly uses the Auth0-PHP SDK (versions 3.3.0\u20138.16.0) or indirectly relies on those versions through the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs. This issue is fixed in version 8.17.0."}], "lastModified": "2025-10-02T19:11:46.753", "sourceIdentifier": "security-advisories@github.com"}