CVE-2025-68129
Improper Audience Validation in Auth0-PHP SDK Allows Token Misuse
Publication date: 2025-12-17
Last updated on: 2026-03-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| auth0 | auth0-php | From 8.0.0 (inc) to 8.18.0 (exc) |
| auth0 | laravel-auth0 | From 7.0.0 (inc) to 7.20.0 (exc) |
| auth0 | symfony | From 5.0.0 (inc) to 5.6.0 (exc) |
| auth0 | wp-auth0 | From 5.0.0 (inc) to 5.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Auth0-PHP SDK where the audience validation in access tokens is performed improperly. Because of this improper validation, affected applications may mistakenly accept ID tokens as Access tokens, which can lead to security issues. The problem affects Auth0-PHP SDK versions between v8.0.0 and v8.17.0 and other SDKs relying on these versions. The issue is fixed in version 8.18.0.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing applications to accept ID tokens as Access tokens due to improper audience validation. This can lead to unauthorized access or privilege escalation because ID tokens are not meant to be used as Access tokens, potentially compromising the security of your application.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade the Auth0-PHP SDK to version 8.18.0 or later, which contains the patch for the issue. Also, update any dependent SDKs such as Auth0/symfony, Auth0/laravel-auth0, and Auth0/wordpress plugin to versions that rely on Auth0-PHP 8.18.0 or later.