CVE-2025-58769

Description

### Overview In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. ### Am I affected? You are affected by this vulnerability if you meet the following preconditions: 1. Applications using the Auth0 laravel-auth0 SDK with version between 4.0.0 and 7.18.0, 2. Auth0 laravel-auth0 SDK uses the Auth0-PHP SDK with versions between 3.3.0 and 8.16.0. ### Fix Upgrade Auth0 laravel-auth0 SDK to version 7.19.0 or greater. ### Acknowledgement Okta would like to thank Mohamed Amine Saidani (pwni) for discovering this vulnerability.

Affected packages (3)

• Packagist/auth0/auth0-php>= 3.3.0, < 8.17.0
• Packagist/auth0/login>= 4.0.0, < 7.19.0
• Packagist/auth0/symfony>= 2.0.2, < 5.5.0

CVSS scores

References (14)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-58769
• PATCHhttps://github.com/auth0/auth0-PHP
• PATCHhttps://github.com/auth0/laravel-auth0
• PATCHhttps://github.com/auth0/symfony
• WEBhttps://github.com/auth0/auth0-PHP/commit/9026da58f5c381cd4cb5932de829eff6eacbb65c
• WEBhttps://github.com/auth0/auth0-PHP/releases/tag/8.17.0
• WEBhttps://github.com/auth0/auth0-PHP/security/advisories/GHSA-9mh6-g99m-ppcw
• WEBhttps://github.com/auth0/laravel-auth0/commit/c33c609fb041f7fe65deb6133feee0cb33fa80a5
• WEBhttps://github.com/auth0/laravel-auth0/releases/tag/7.19.0
• WEBhttps://github.com/auth0/laravel-auth0/security/advisories/GHSA-hjfh-5jmm-xr24
• WEBhttps://github.com/auth0/symfony/commit/0b6dbd1a7e6ffeebf4cbb08831c9ca9052d2c577
• WEBhttps://github.com/auth0/symfony/releases/tag/5.5.0
• WEBhttps://github.com/auth0/symfony/security/advisories/GHSA-7jp2-5h22-m432
• WEBhttps://github.com/auth0/wordpress/security/advisories/GHSA-w22c-pw5m-482x