Headline
GHSA-9mh6-g99m-ppcw: auth0-PHP SDK Does Not Properly Handle File Types in Bulk User Import
Overview
In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs.
Am I affected?
You are affected by this vulnerability if you meet the following preconditions:
- Applications using the Auth0-PHP SDK, versions between v3.3.0 and v8.16.0, or
- Applications using the following SDKs that rely on the Auth0-PHP SDK versions between v3.3.0 and v8.16.0: a. Auth0/symfony, b. Auth0/laravel-auth0, c. Auth0/wordpress.
Fix
Upgrade Auth0/Auth0-PHP to version 8.17.0 or greater.
Acknowledgement
Okta would like to thank Mohamed Amine Saidani (pwni) for discovering this vulnerability.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-58769
auth0-PHP SDK Does Not Properly Handle File Types in Bulk User Import
Low severity GitHub Reviewed Published Oct 1, 2025 in auth0/auth0-PHP • Updated Oct 1, 2025
Package
composer auth0/auth0-php (Composer)
Affected versions
>= 3.3.0, <= 8.16.0
Overview
In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs.
Am I affected?
You are affected by this vulnerability if you meet the following preconditions:
- Applications using the Auth0-PHP SDK, versions between v3.3.0 and v8.16.0, or
- Applications using the following SDKs that rely on the Auth0-PHP SDK versions between v3.3.0 and v8.16.0:
a. Auth0/symfony,
b. Auth0/laravel-auth0,
c. Auth0/wordpress.
Fix
Upgrade Auth0/Auth0-PHP to version 8.17.0 or greater.
Acknowledgement
Okta would like to thank Mohamed Amine Saidani (pwni) for discovering this vulnerability.
References
- GHSA-9mh6-g99m-ppcw
- auth0/auth0-PHP@9026da5
- https://github.com/auth0/auth0-PHP/releases/tag/8.17.0
Published to the GitHub Advisory Database
Oct 1, 2025