{"url":"http://public2.vulnerablecode.io/api/packages/85155?format=json","purl":"pkg:composer/auth0/login@7.17.0","type":"composer","namespace":"auth0","name":"login","version":"7.17.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"7.21.0","latest_non_vulnerable_version":"7.21.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49458?format=json","vulnerability_id":"VCID-4sz7-jkkn-abhw","summary":"Auth0 Laravel SDK has Improper Audience Validation via Auth0-PHP SDK dependency\nIn applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.","references":[{"reference_url":"https://github.com/auth0/laravel-auth0","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/laravel-auth0"},{"reference_url":"https://github.com/auth0/laravel-auth0/commit/a1c3344dc0e5a36e8f56c8cfc535728d3d7558f3","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/laravel-auth0/commit/a1c3344dc0e5a36e8f56c8cfc535728d3d7558f3"},{"reference_url":"https://github.com/auth0/laravel-auth0/releases/tag/7.20.0","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/laravel-auth0/releases/tag/7.20.0"},{"reference_url":"https://github.com/advisories/GHSA-7hh9-gp72-wh7h","reference_id":"GHSA-7hh9-gp72-wh7h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7hh9-gp72-wh7h"},{"reference_url":"https://github.com/auth0/laravel-auth0/security/advisories/GHSA-7hh9-gp72-wh7h","reference_id":"GHSA-7hh9-gp72-wh7h","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/laravel-auth0/security/advisories/GHSA-7hh9-gp72-wh7h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73018?format=json","purl":"pkg:composer/auth0/login@7.20.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-evvr-qapt-tqge"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/auth0/login@7.20.0"}],"aliases":["GHSA-7hh9-gp72-wh7h"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4sz7-jkkn-abhw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89274?format=json","vulnerability_id":"VCID-evvr-qapt-tqge","summary":"Auth0 laravel-auth0 SDK has Insufficient Entropy in Cookie Encryption\n### Impact\nIn applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies.\n\n### Am I Affected?\nYou are affected if you meet the following preconditions:\n\n- Applications using laravel-auth0 SDK, versions between 7.0.0 and 7.20.0\n- Laravel-auth0 SDK using the Auth0-PHP SDK versions between 8.0.0 to 8.18.0.\n\n\n### Resolution\nUpgrade Auth0/laravel-auth0 to version 7.21.0 or greater.","references":[{"reference_url":"https://github.com/auth0/laravel-auth0","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/laravel-auth0"},{"reference_url":"https://github.com/auth0/laravel-auth0/security/advisories/GHSA-fmg6-246m-9g2v","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/laravel-auth0/security/advisories/GHSA-fmg6-246m-9g2v"},{"reference_url":"https://github.com/advisories/GHSA-fmg6-246m-9g2v","reference_id":"GHSA-fmg6-246m-9g2v","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fmg6-246m-9g2v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110314?format=json","purl":"pkg:composer/auth0/login@7.21.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/auth0/login@7.21.0"}],"aliases":["GHSA-fmg6-246m-9g2v"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-evvr-qapt-tqge"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47925?format=json","vulnerability_id":"VCID-w33s-fnqx-a3ek","summary":"laravel-auth0 SDK Does Not Properly Handle File Types in Bulk User Import\n### Overview\nIn applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs.\n\n### Am I affected?\nYou are affected by this vulnerability if you meet the following preconditions:\n1. Applications using the Auth0 laravel-auth0 SDK with version between 4.0.0 and 7.18.0,\n2. Auth0 laravel-auth0 SDK uses the Auth0-PHP SDK with versions between 3.3.0 and 8.16.0.\n\n### Fix\nUpgrade Auth0 laravel-auth0 SDK to version 7.19.0 or greater.\n\n### Acknowledgement\nOkta would like to thank Mohamed Amine Saidani (pwni) for discovering this vulnerability.","references":[{"reference_url":"https://github.com/auth0/laravel-auth0","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/laravel-auth0"},{"reference_url":"https://github.com/auth0/laravel-auth0/commit/c33c609fb041f7fe65deb6133feee0cb33fa80a5","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/laravel-auth0/commit/c33c609fb041f7fe65deb6133feee0cb33fa80a5"},{"reference_url":"https://github.com/auth0/laravel-auth0/releases/tag/7.19.0","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/laravel-auth0/releases/tag/7.19.0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58769","reference_id":"CVE-2025-58769","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58769"},{"reference_url":"https://github.com/advisories/GHSA-hjfh-5jmm-xr24","reference_id":"GHSA-hjfh-5jmm-xr24","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hjfh-5jmm-xr24"},{"reference_url":"https://github.com/auth0/laravel-auth0/security/advisories/GHSA-hjfh-5jmm-xr24","reference_id":"GHSA-hjfh-5jmm-xr24","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/laravel-auth0/security/advisories/GHSA-hjfh-5jmm-xr24"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/70712?format=json","purl":"pkg:composer/auth0/login@7.19.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4sz7-jkkn-abhw"},{"vulnerability":"VCID-evvr-qapt-tqge"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/auth0/login@7.19.0"}],"aliases":["GHSA-hjfh-5jmm-xr24"],"risk_score":1.5,"exploitability":"0.5","weighted_severity":"3.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w33s-fnqx-a3ek"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57311?format=json","vulnerability_id":"VCID-kz9r-kj2j-5ue7","summary":"laravel-auth0 SDK Vulnerable to Brute Force Authentication Tags of CookieStore Sessions\n**Overview**\nSession cookies of applications using the laravel-auth0 SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access.\n\n**Am I Affected?**\nYou are affected by this vulnerability if you meet the following pre-conditions:\n1. Applications using laravel-auth0 SDK with version <=7.16.0\n2. laravel-auth0 SDK uses the Auth0-PHP SDK with version 8.0.0-BETA1 or higher and below 8.14.0.\n3. Session storage configured with CookieStore.\n\n**Fix**\nUpgrade Auth0/laravel-auth0 to v7.17.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected.\n\n**Acknowledgement**\nOkta would like to thank Félix Charette for discovering this vulnerability.","references":[{"reference_url":"https://github.com/auth0/laravel-auth0","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/laravel-auth0"},{"reference_url":"https://github.com/auth0/laravel-auth0/commit/be2c59adb476c49945dcc55741a54c7a68c1741d","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/laravel-auth0/commit/be2c59adb476c49945dcc55741a54c7a68c1741d"},{"reference_url":"https://github.com/auth0/laravel-auth0/releases/tag/7.17.0","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/laravel-auth0/releases/tag/7.17.0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-47275","reference_id":"CVE-2025-47275","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-47275"},{"reference_url":"https://github.com/advisories/GHSA-9fwj-9mjf-rhj3","reference_id":"GHSA-9fwj-9mjf-rhj3","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9fwj-9mjf-rhj3"},{"reference_url":"https://github.com/auth0/laravel-auth0/security/advisories/GHSA-9fwj-9mjf-rhj3","reference_id":"GHSA-9fwj-9mjf-rhj3","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/laravel-auth0/security/advisories/GHSA-9fwj-9mjf-rhj3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85155?format=json","purl":"pkg:composer/auth0/login@7.17.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4sz7-jkkn-abhw"},{"vulnerability":"VCID-evvr-qapt-tqge"},{"vulnerability":"VCID-w33s-fnqx-a3ek"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/auth0/login@7.17.0"}],"aliases":["GHSA-9fwj-9mjf-rhj3"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kz9r-kj2j-5ue7"}],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/auth0/login@7.17.0"}