CVE-2025-58769

3.3 LOW
Published: October 01, 2025 Modified: October 02, 2025
View on NVD

Description

auth0-PHP is an SDK for Auth0 Authentication and Management APIs. In versions 3.3.0 through 8.16.0, the Bulk User Import endpoint in applications built with the SDK does not validate the file-path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. The vulnerability affects any application that either directly uses the Auth0-PHP SDK (versions 3.3.0–8.16.0) or indirectly relies on those versions through the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs. This issue is fixed in version 8.17.0.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/auth0/auth0-PHP/commit/9026da58f5c381cd4cb5932de829eff6eacbb65c
Source: security-advisories@github.com
https://github.com/auth0/auth0-PHP/releases/tag/8.17.0
Source: security-advisories@github.com
https://github.com/auth0/auth0-PHP/security/advisories/GHSA-9mh6-g99m-ppcw
Source: security-advisories@github.com
https://github.com/auth0/laravel-auth0/security/advisories/GHSA-hjfh-5jmm-xr24
Source: security-advisories@github.com
https://github.com/auth0/symfony/security/advisories/GHSA-7jp2-5h22-m432
Source: security-advisories@github.com
https://github.com/auth0/wordpress/security/advisories/GHSA-w22c-pw5m-482x
Source: security-advisories@github.com

6 reference(s) from NVD

Quick Stats

CVSS v3 Score
3.3 / 10.0
EPSS (Exploit Probability)
0.1%
27th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-22 CWE-73

Related CVEs

CVE-2025-52691 10.0
CVE-2025-15168 7.3
CVE-2025-15167 7.3
CVE-2025-15166 7.3
CVE-2025-15165 7.3