CVE-2025-58769

CVSS v3.1

3.3

Low

Vector

AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions auth0-PHP versions 3.3.0 through 8.16.0

Description The Bulk User Import endpoint does not validate file path wrappers or values, potentially allowing acceptance of arbitrary file paths or URLs. This affects applications directly using the Auth0-PHP SDK versions 3.3.0 through 8.16.0, as well as applications relying on Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs that utilize the affected Auth0-PHP SDK versions. The issue stems from a lack of proper validation when processing file paths. The vulnerable endpoint is the Bulk User Import endpoint.

Recommendations Upgrade Auth0-PHP to version 8.17.0 or greater.

Exploit

Fix

Unrestricted File Upload

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-73CWE-434CWE-22

Related Identifiers

CVE-2025-58769

GHSA-7JP2-5H22-M432

GHSA-9MH6-G99M-PPCW

GHSA-HJFH-5JMM-XR24

GHSA-W22C-PW5M-482X

Affected Products

Auth0/Laravel-Auth0

Auth0/Symfony

Auth0/Wordpress

Wordpress

Auth0-Php

CVE-2025-58769

Weakness Enumeration

Related Identifiers

Affected Products

References · 22