PT-2025-40296 · Auth0+1 · Auth0-Php+4

Mohamed Amine Saidani

+1

·

Publicado

2025-10-01

·

Atualizado

2025-10-02

·

CVE-2025-58769

CVSS v3.1

3.3

Baixa

VetorAV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions auth0-PHP versions 3.3.0 through 8.16.0
Description The Bulk User Import endpoint does not validate file path wrappers or values, potentially allowing acceptance of arbitrary file paths or URLs. This affects applications directly using the Auth0-PHP SDK versions 3.3.0 through 8.16.0, as well as applications relying on Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs that utilize the affected Auth0-PHP SDK versions. The issue stems from a lack of proper validation when processing file paths. The vulnerable endpoint is the Bulk User Import endpoint.
Recommendations Upgrade Auth0-PHP to version 8.17.0 or greater.

Exploit

Correção

Unrestricted File Upload

Path traversal

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-73CWE-434CWE-22

Identificadores relacionados

CVE-2025-58769
GHSA-7JP2-5H22-M432
GHSA-9MH6-G99M-PPCW
GHSA-HJFH-5JMM-XR24
GHSA-W22C-PW5M-482X

Produtos afetados

Auth0/Laravel-Auth0
Auth0/Symfony
Auth0/Wordpress
Wordpress
Auth0-Php