VulnerableCode Package Details - pkg:composer/auth0/auth0-php@8.16.0

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:composer/auth0/auth0-php@8.16.0

Essentials
History (4)

purl	pkg:composer/auth0/auth0-php@8.16.0

Next non-vulnerable version	8.19.0
Latest non-vulnerable version	8.19.0
Risk	4.0

Vulnerabilities affecting this package (3)

Vulnerability	Summary	Fixed by
VCID-2swz-5ukp-1qgj Aliases: CVE-2025-58769 GHSA-9mh6-g99m-ppcw	auth0-PHP is an SDK for Auth0 Authentication and Management APIs. In versions 3.3.0 through 8.16.0, the Bulk User Import endpoint in applications built with the SDK does not validate the file-path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. The vulnerability affects any application that either directly uses the Auth0-PHP SDK (versions 3.3.0–8.16.0) or indirectly relies on those versions through the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs. This issue is fixed in version 8.17.0.	8.17.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-gfc3-9m5s-m3bt Aliases: CVE-2025-68129 GHSA-j2vm-wrq3-f7gf	Auth0-PHP SDK has Improper Audience Validation	8.18.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-j9jk-6h3d-zfg6 Aliases: CVE-2026-34236 GHSA-w3wc-44p4-m4j7	Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. This issue has been patched in version 8.19.0.	8.19.0 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T21:46:38.481982+00:00	GitLab Importer	Affected by	VCID-j9jk-6h3d-zfg6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/auth0/auth0-php/CVE-2026-34236.yml	38.6.0
2026-06-12T20:40:39.894965+00:00	GitLab Importer	Affected by	VCID-gfc3-9m5s-m3bt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/auth0/auth0-php/CVE-2025-68129.yml	38.6.0
2026-06-12T20:22:40.760490+00:00	GitLab Importer	Affected by	VCID-2swz-5ukp-1qgj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/auth0/auth0-php/CVE-2025-58769.yml	38.6.0
2026-06-11T20:36:23.031550+00:00	GHSA Importer	Affected by	VCID-2swz-5ukp-1qgj	https://github.com/advisories/GHSA-9mh6-g99m-ppcw	38.6.0