VulnerableCode Package Details - pkg:composer/auth0/auth0-php@8.3.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-8dve-yw6d-17gg Aliases: CVE-2025-68129 GHSA-j2vm-wrq3-f7gf	Auth0-PHP SDK has Improper Audience Validation In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.	8.18.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-kkcj-dvp9-tbg4 Aliases: CVE-2025-48951 GHSA-v9m8-9xxp-q492	Auth0-PHP SDK Deserialization of Untrusted Data vulnerability Overview The Auth0 PHP SDK contains a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Am I Affected? You are affected by this vulnerability if you meet the following preconditions: 1. Applications using the Auth0-PHP SDK, versions between 8.0.0-BETA3 to 8.3.0. 2. Applications using the following SDKs that rely on the Auth0-PHP SDK versions between 8.0.0-BETA3 to 8.3.0: a. Auth0/symfony, b. Auth0/laravel-auth0, c. Auth0/wordpress. Fix Upgrade Auth0/Auth0-PHP to 8.3.1. Acknowledgement Okta would like to thank Andreas Forsblom for discovering this vulnerability.	8.3.1 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ra6g-hrt7-yue7 Aliases: CVE-2025-58769 GHSA-9mh6-g99m-ppcw	auth0-PHP SDK Does Not Properly Handle File Types in Bulk User Import ### Overview In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. ### Am I affected? You are affected by this vulnerability if you meet the following preconditions: 1. Applications using the Auth0-PHP SDK, versions between v3.3.0 and v8.16.0, or 2. Applications using the following SDKs that rely on the Auth0-PHP SDK versions between v3.3.0 and v8.16.0: a. Auth0/symfony, b. Auth0/laravel-auth0, c. Auth0/wordpress. ### Fix Upgrade Auth0/Auth0-PHP to version 8.17.0 or greater. ### Acknowledgement Okta would like to thank Mohamed Amine Saidani (pwni) for discovering this vulnerability.	8.17.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-uyde-c8s3-eyfk Aliases: CVE-2025-47275 GHSA-g98g-r7gf-2r25	Brute Force Authentication Tags of CookieStore Sessions in Auth0-PHP SDK Overview Session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. Am I Affected? You are affected by this vulnerability if you meet the following pre-conditions: 1. Applications using the Auth0-PHP SDK, or the following SDKs that rely on the Auth0-PHP SDK: a. Auth0/symfony, b. Auth0/laravel-auth0, c. Auth0/wordpress, 2. Session storage configured with CookieStore. Fix Upgrade Auth0/Auth0-PHP to v8.14.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected. Acknowledgement Okta would like to thank Félix Charette for discovering this vulnerability.	8.14.0 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-yp9u-s51c-rbfx Aliases: CVE-2026-34236 GHSA-w3wc-44p4-m4j7	Auth0 PHP SDK has Insufficient Entropy in Cookie Encryption ### Impact In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. ### Am I Affected? Consumers are affected if their application meets the following preconditions: - Their application is using the Auth0-PHP SDK, versions between 8.0.0 and 8.18.0 - Their application is using the Auth0-PHP SDK, or the following SDKs that rely on the Auth0-PHP SDK: - Auth0/symfony, - Auth0/laravel0-auth0, or - Auth0/wordpress ### Resolution Upgrade Auth0/Auth0-PHP to version 8.19.0 or greater.	8.19.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-8dve-yw6d-17gg
Aliases:
CVE-2025-68129
GHSA-j2vm-wrq3-f7gf

Auth0-PHP SDK has Improper Audience Validation In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.

8.18.0
Affected by 1 other vulnerability.

VCID-kkcj-dvp9-tbg4
Aliases:
CVE-2025-48951
GHSA-v9m8-9xxp-q492

Auth0-PHP SDK Deserialization of Untrusted Data vulnerability **Overview** The Auth0 PHP SDK contains a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. **Am I Affected?** You are affected by this vulnerability if you meet the following preconditions: 1. Applications using the Auth0-PHP SDK, versions between 8.0.0-BETA3 to 8.3.0. 2. Applications using the following SDKs that rely on the Auth0-PHP SDK versions between 8.0.0-BETA3 to 8.3.0: a. Auth0/symfony, b. Auth0/laravel-auth0, c. Auth0/wordpress. **Fix** Upgrade Auth0/Auth0-PHP to 8.3.1. **Acknowledgement** Okta would like to thank Andreas Forsblom for discovering this vulnerability.

8.3.1
Affected by 4 other vulnerabilities.

VCID-ra6g-hrt7-yue7
Aliases:
CVE-2025-58769
GHSA-9mh6-g99m-ppcw

auth0-PHP SDK Does Not Properly Handle File Types in Bulk User Import ### Overview In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. ### Am I affected? You are affected by this vulnerability if you meet the following preconditions: 1. Applications using the Auth0-PHP SDK, versions between v3.3.0 and v8.16.0, or 2. Applications using the following SDKs that rely on the Auth0-PHP SDK versions between v3.3.0 and v8.16.0: a. Auth0/symfony, b. Auth0/laravel-auth0, c. Auth0/wordpress. ### Fix Upgrade Auth0/Auth0-PHP to version 8.17.0 or greater. ### Acknowledgement Okta would like to thank Mohamed Amine Saidani (pwni) for discovering this vulnerability.

8.17.0
Affected by 2 other vulnerabilities.

VCID-uyde-c8s3-eyfk
Aliases:
CVE-2025-47275
GHSA-g98g-r7gf-2r25

Brute Force Authentication Tags of CookieStore Sessions in Auth0-PHP SDK **Overview** Session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. **Am I Affected?** You are affected by this vulnerability if you meet the following pre-conditions: 1. Applications using the Auth0-PHP SDK, or the following SDKs that rely on the Auth0-PHP SDK: a. Auth0/symfony, b. Auth0/laravel-auth0, c. Auth0/wordpress, 2. Session storage configured with CookieStore. **Fix** Upgrade Auth0/Auth0-PHP to v8.14.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected. **Acknowledgement** Okta would like to thank Félix Charette for discovering this vulnerability.

8.14.0
Affected by 3 other vulnerabilities.

VCID-yp9u-s51c-rbfx
Aliases:
CVE-2026-34236
GHSA-w3wc-44p4-m4j7

Auth0 PHP SDK has Insufficient Entropy in Cookie Encryption ### Impact In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. ### Am I Affected? Consumers are affected if their application meets the following preconditions: - Their application is using the Auth0-PHP SDK, versions between 8.0.0 and 8.18.0 - Their application is using the Auth0-PHP SDK, or the following SDKs that rely on the Auth0-PHP SDK: - Auth0/symfony, - Auth0/laravel0-auth0, or - Auth0/wordpress ### Resolution Upgrade Auth0/Auth0-PHP to version 8.19.0 or greater.

8.19.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T07:41:47.560066+00:00	GitLab Importer	Affected by	VCID-yp9u-s51c-rbfx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/auth0/auth0-php/CVE-2026-34236.yml	38.6.0
2026-06-06T06:31:33.808317+00:00	GitLab Importer	Affected by	VCID-8dve-yw6d-17gg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/auth0/auth0-php/CVE-2025-68129.yml	38.6.0
2026-06-06T06:12:25.657019+00:00	GitLab Importer	Affected by	VCID-ra6g-hrt7-yue7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/auth0/auth0-php/CVE-2025-58769.yml	38.6.0
2026-06-06T05:51:40.959163+00:00	GitLab Importer	Affected by	VCID-kkcj-dvp9-tbg4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/auth0/auth0-php/CVE-2025-48951.yml	38.6.0
2026-06-06T05:50:01.024478+00:00	GitLab Importer	Affected by	VCID-uyde-c8s3-eyfk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/auth0/auth0-php/CVE-2025-47275.yml	38.6.0