VulnerableCode Package Details - pkg:composer/auth0/auth0-php@8.3.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-2swz-5ukp-1qgj Aliases: CVE-2025-58769 GHSA-9mh6-g99m-ppcw	auth0-PHP is an SDK for Auth0 Authentication and Management APIs. In versions 3.3.0 through 8.16.0, the Bulk User Import endpoint in applications built with the SDK does not validate the file-path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. The vulnerability affects any application that either directly uses the Auth0-PHP SDK (versions 3.3.0–8.16.0) or indirectly relies on those versions through the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs. This issue is fixed in version 8.17.0.	8.17.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-731m-xrcd-kud8 Aliases: CVE-2025-47275 GHSA-g98g-r7gf-2r25	Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Starting in version 8.0.0-BETA1 and prior to version 8.14.0, session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. Certain pre-conditions are required to be vulnerable to this issue: Applications using the Auth0-PHP SDK, or the Auth0/symfony, Auth0/laravel-auth0, and Auth0/wordpress SDKs that rely on the Auth0-PHP SDK; and session storage configured with CookieStore. Upgrade Auth0/Auth0-PHP to v8.14.0 to receive a patch. As an additional precautionary measure, rotating cookie encryption keys is recommended. Note that once updated, any previous session cookies will be rejected.	8.14.0 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-gfc3-9m5s-m3bt Aliases: CVE-2025-68129 GHSA-j2vm-wrq3-f7gf	Auth0-PHP SDK has Improper Audience Validation	8.18.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-j9jk-6h3d-zfg6 Aliases: CVE-2026-34236 GHSA-w3wc-44p4-m4j7	Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. This issue has been patched in version 8.19.0.	8.19.0 Affected by 0 other vulnerabilities.
VCID-prx7-jakb-8uc2 Aliases: CVE-2025-48951 GHSA-v9m8-9xxp-q492	Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Applications using the Auth0-PHP SDK are affected, as are applications using the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs, because those SDKsrely on the Auth0-PHP SDK versions from 8.0.0-BETA3 until 8.14.0. Version 8.3.1 contains a patch for the issue.	8.3.1 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-2swz-5ukp-1qgj
Aliases:
CVE-2025-58769
GHSA-9mh6-g99m-ppcw

auth0-PHP is an SDK for Auth0 Authentication and Management APIs. In versions 3.3.0 through 8.16.0, the Bulk User Import endpoint in applications built with the SDK does not validate the file-path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. The vulnerability affects any application that either directly uses the Auth0-PHP SDK (versions 3.3.0–8.16.0) or indirectly relies on those versions through the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs. This issue is fixed in version 8.17.0.

8.17.0
Affected by 2 other vulnerabilities.

VCID-731m-xrcd-kud8
Aliases:
CVE-2025-47275
GHSA-g98g-r7gf-2r25

Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Starting in version 8.0.0-BETA1 and prior to version 8.14.0, session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. Certain pre-conditions are required to be vulnerable to this issue: Applications using the Auth0-PHP SDK, or the Auth0/symfony, Auth0/laravel-auth0, and Auth0/wordpress SDKs that rely on the Auth0-PHP SDK; and session storage configured with CookieStore. Upgrade Auth0/Auth0-PHP to v8.14.0 to receive a patch. As an additional precautionary measure, rotating cookie encryption keys is recommended. Note that once updated, any previous session cookies will be rejected.

8.14.0
Affected by 3 other vulnerabilities.

VCID-gfc3-9m5s-m3bt
Aliases:
CVE-2025-68129
GHSA-j2vm-wrq3-f7gf

Auth0-PHP SDK has Improper Audience Validation

8.18.0
Affected by 1 other vulnerability.

VCID-j9jk-6h3d-zfg6
Aliases:
CVE-2026-34236
GHSA-w3wc-44p4-m4j7

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. This issue has been patched in version 8.19.0.

8.19.0
Affected by 0 other vulnerabilities.

VCID-prx7-jakb-8uc2
Aliases:
CVE-2025-48951
GHSA-v9m8-9xxp-q492

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Applications using the Auth0-PHP SDK are affected, as are applications using the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs, because those SDKsrely on the Auth0-PHP SDK versions from 8.0.0-BETA3 until 8.14.0. Version 8.3.1 contains a patch for the issue.

8.3.1
Affected by 4 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T21:46:38.381073+00:00	GitLab Importer	Affected by	VCID-j9jk-6h3d-zfg6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/auth0/auth0-php/CVE-2026-34236.yml	38.6.0
2026-06-12T20:40:39.793488+00:00	GitLab Importer	Affected by	VCID-gfc3-9m5s-m3bt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/auth0/auth0-php/CVE-2025-68129.yml	38.6.0
2026-06-12T20:22:40.659478+00:00	GitLab Importer	Affected by	VCID-2swz-5ukp-1qgj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/auth0/auth0-php/CVE-2025-58769.yml	38.6.0
2026-06-12T20:03:20.702098+00:00	GitLab Importer	Affected by	VCID-prx7-jakb-8uc2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/auth0/auth0-php/CVE-2025-48951.yml	38.6.0
2026-06-12T20:01:52.248432+00:00	GitLab Importer	Affected by	VCID-731m-xrcd-kud8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/auth0/auth0-php/CVE-2025-47275.yml	38.6.0