auth0-PHP is an SDK for Auth0 Authentication and Management APIs. In versions 3.3.0 through 8.16.0, the Bulk User Import endpoint in applications built with the SDK does not validate the file-path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. The vulnerability affects any application that either directly uses the Auth0-PHP SDK (versions 3.3.0–8.16.0) or indirectly relies on those versions through the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs. This issue is fixed in version 8.17.0.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 01 Oct 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Oct 2025 20:00:00 +0000

Type Values Removed Values Added
Description auth0-PHP is an SDK for Auth0 Authentication and Management APIs. In versions 3.3.0 through 8.16.0, the Bulk User Import endpoint in applications built with the SDK does not validate the file-path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. The vulnerability affects any application that either directly uses the Auth0-PHP SDK (versions 3.3.0–8.16.0) or indirectly relies on those versions through the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs. This issue is fixed in version 8.17.0.
Title auth0-PHP: Improper File Type Handling in Bulk User Import
Weaknesses CWE-22
CWE-73
References
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2025-10-01T20:09:45.900Z

Reserved: 2025-09-04T19:18:09.501Z

Link: CVE-2025-58769

cve-icon Vulnrichment

Updated: 2025-10-01T20:09:38.216Z

cve-icon NVD

Status : Received

Published: 2025-10-01T20:18:38.077

Modified: 2025-10-01T20:18:38.077

Link: CVE-2025-58769

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.