CVE-2025-58769
BaseFortify
Publication date: 2025-10-01
Last updated on: 2025-10-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| auth0 | wordpress | 5.3.0 |
| auth0 | laravel-auth0 | 4.0.0 |
| auth0 | symfony | 5.5.0 |
| auth0 | symfony | 5.4.1 |
| auth0 | auth0-php | 3.3.0 |
| auth0 | auth0-php | 8.16.0 |
| auth0 | symfony | 2.0.2 |
| auth0 | wordpress | 5.0.0-beta0 |
| auth0 | wordpress | 5.4.0 |
| auth0 | laravel-auth0 | 7.18.0 |
| auth0 | laravel-auth0 | 7.19.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the auth0-PHP SDK versions 3.3.0 through 8.16.0, specifically in the Bulk User Import endpoint. The issue is that the endpoint does not properly validate the file-path wrapper or value, which means that affected applications may accept arbitrary file paths or URLs. This can lead to unintended behavior or security risks when importing users in applications using these SDK versions.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing an attacker to supply arbitrary file paths or URLs to the Bulk User Import endpoint, potentially leading to unauthorized access or manipulation of data during user import processes. This could result in information disclosure or integrity issues within applications that use the affected SDK versions.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Auth0-PHP SDK to version 8.17.0 or later, which contains the fix for the Bulk User Import endpoint validation issue. Additionally, review any applications that use the affected SDK versions (3.3.0 through 8.16.0) directly or indirectly through Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs, and apply the update accordingly.