CVE-2025-58769
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-58769, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-10-01

Last updated on: 2025-10-02

Assigner: GitHub, Inc.

Description

auth0-PHP is an SDK for Auth0 Authentication and Management APIs. In versions 3.3.0 through 8.16.0, the Bulk User Import endpoint in applications built with the SDK does not validate the file-path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. The vulnerability affects any application that either directly uses the Auth0-PHP SDK (versions 3.3.0–8.16.0) or indirectly relies on those versions through the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs. This issue is fixed in version 8.17.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-10-01
Last Modified
2025-10-02
Generated
2026-07-06
AI Q&A
2025-10-01
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 11 associated CPEs
Vendor Product Version / Range
auth0 wordpress 5.3.0
auth0 laravel-auth0 4.0.0
auth0 symfony 5.5.0
auth0 symfony 5.4.1
auth0 auth0-php 3.3.0
auth0 auth0-php 8.16.0
auth0 symfony 2.0.2
auth0 wordpress 5.0.0-beta0
auth0 wordpress 5.4.0
auth0 laravel-auth0 7.18.0
auth0 laravel-auth0 7.19.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the auth0-PHP SDK versions 3.3.0 through 8.16.0, specifically in the Bulk User Import endpoint. The issue is that the endpoint does not properly validate the file-path wrapper or value, which means that affected applications may accept arbitrary file paths or URLs. This can lead to unintended behavior or security risks when importing users in applications using these SDK versions.

Impact Analysis

The vulnerability can impact you by allowing an attacker to supply arbitrary file paths or URLs to the Bulk User Import endpoint, potentially leading to unauthorized access or manipulation of data during user import processes. This could result in information disclosure or integrity issues within applications that use the affected SDK versions.

Mitigation Strategies

To mitigate this vulnerability, update the Auth0-PHP SDK to version 8.17.0 or later, which contains the fix for the Bulk User Import endpoint validation issue. Additionally, review any applications that use the affected SDK versions (3.3.0 through 8.16.0) directly or indirectly through Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs, and apply the update accordingly.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58769. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart