CVE-2025-58769
LOW3.3EPSS 0.09%laravel-auth0 SDK Does Not Properly Handle File Types in Bulk User Import
描述
### Overview In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. ### Am I affected? You are affected by this vulnerability if you meet the following preconditions: 1. Applications using the Auth0 laravel-auth0 SDK with version between 4.0.0 and 7.18.0, 2. Auth0 laravel-auth0 SDK uses the Auth0-PHP SDK with versions between 3.3.0 and 8.16.0. ### Fix Upgrade Auth0 laravel-auth0 SDK to version 7.19.0 or greater. ### Acknowledgement Okta would like to thank Mohamed Amine Saidani (pwni) for discovering this vulnerability.
受影響套件(3)
- Packagist/auth0/auth0-php>= 3.3.0, < 8.17.0
- Packagist/auth0/login>= 4.0.0, < 7.19.0
- Packagist/auth0/symfony>= 2.0.2, < 5.5.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.3 | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N |
參考連結(14)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-58769
- PATCHhttps://github.com/auth0/auth0-PHP
- PATCHhttps://github.com/auth0/laravel-auth0
- PATCHhttps://github.com/auth0/symfony
- WEBhttps://github.com/auth0/auth0-PHP/commit/9026da58f5c381cd4cb5932de829eff6eacbb65c
- WEBhttps://github.com/auth0/auth0-PHP/releases/tag/8.17.0
- WEBhttps://github.com/auth0/auth0-PHP/security/advisories/GHSA-9mh6-g99m-ppcw
- WEBhttps://github.com/auth0/laravel-auth0/commit/c33c609fb041f7fe65deb6133feee0cb33fa80a5
- WEBhttps://github.com/auth0/laravel-auth0/releases/tag/7.19.0
- WEBhttps://github.com/auth0/laravel-auth0/security/advisories/GHSA-hjfh-5jmm-xr24
- WEBhttps://github.com/auth0/symfony/commit/0b6dbd1a7e6ffeebf4cbb08831c9ca9052d2c577
- WEBhttps://github.com/auth0/symfony/releases/tag/5.5.0
- WEBhttps://github.com/auth0/symfony/security/advisories/GHSA-7jp2-5h22-m432
- WEBhttps://github.com/auth0/wordpress/security/advisories/GHSA-w22c-pw5m-482x