Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-hjfh-5jmm-xr24: laravel-auth0 SDK Does Not Properly Handle File Types in Bulk User Import

Overview

In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs.

Am I affected?

You are affected by this vulnerability if you meet the following preconditions:

  1. Applications using the Auth0 laravel-auth0 SDK with version between 4.0.0 and 7.18.0,
  2. Auth0 laravel-auth0 SDK uses the Auth0-PHP SDK with versions between 3.3.0 and 8.16.0.

Fix

Upgrade Auth0 laravel-auth0 SDK to version 7.19.0 or greater.

Acknowledgement

Okta would like to thank Mohamed Amine Saidani (pwni) for discovering this vulnerability.

ghsa
Open in Source
#vulnerability#web#git#intel#php#perl#auth

Skip to content

Navigation Menu

    • GitHub Copilot

      Write better code with AI

    • GitHub Spark New

      Build and deploy intelligent apps

    • GitHub Models New

      Manage and compare prompts

    • GitHub Advanced Security

      Find and fix vulnerabilities

    • Actions

      Automate any workflow

*   Codespaces
    
    Instant dev environments
    
*   Issues
    
    Plan and track work
    
*   Code Review
    
    Manage code changes
    
*   Discussions
    
    Collaborate outside of code
    
*   Code Search
    
    Find more, search less
    

View all features

  • Explore

    • Learning Pathways
    • Events & Webinars
    • Ebooks & Whitepapers
    • Customer Stories
    • Partners
    • Executive Insights

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles

    • Enterprise platform

      AI-powered developer platform

  • Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

Appearance settings

  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. GHSA-hjfh-5jmm-xr24

laravel-auth0 SDK Does Not Properly Handle File Types in Bulk User Import

Package

Affected versions

>= 4.0.0, <= 7.18.0

Description

Overview

In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs.

Am I affected?

You are affected by this vulnerability if you meet the following preconditions:

  1. Applications using the Auth0 laravel-auth0 SDK with version between 4.0.0 and 7.18.0,
  2. Auth0 laravel-auth0 SDK uses the Auth0-PHP SDK with versions between 3.3.0 and 8.16.0.

Fix

Upgrade Auth0 laravel-auth0 SDK to version 7.19.0 or greater.

Acknowledgement

Okta would like to thank Mohamed Amine Saidani (pwni) for discovering this vulnerability.

References

  • GHSA-hjfh-5jmm-xr24
  • https://nvd.nist.gov/vuln/detail/CVE-2025-58769
  • auth0/laravel-auth0@c33c609
  • https://github.com/auth0/laravel-auth0/releases/tag/7.19.0

Published to the GitHub Advisory Database

Oct 1, 2025

EPSS score

ghsa: Latest News

GHSA-86rg-8hc8-v82p: LibreNMS is vulnerable to Reflected-XSS in `report_this` function
ghsa