GHSA-7jp2-5h22-m432: 
PHP vulnerability analysis and mitigation

The Auth0 Symfony SDK contains a vulnerability (CVE-2025-58769) in versions 2.0.2 through 5.4.1 where the Bulk User Import endpoint fails to properly validate file-path wrappers and values. This vulnerability affects applications using the Auth0 Symfony SDK that relies on Auth0-PHP SDK versions 3.3.0 through 8.16.0. The issue was discovered by Mohamed Amine Saidani (pwni) and has been assigned a CVSS v3.1 base score of 3.3 (Low severity) (GitHub Advisory).

The vulnerability is characterized by improper file type handling in the Bulk User Import functionality. It has been assigned CWE-434 (Unrestricted Upload of File with Dangerous Type) classification. The CVSS v3.1 vector string is CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N, indicating that while the vulnerability is network-accessible, it requires high attack complexity and high privileges to exploit. The vulnerability affects both confidentiality and integrity at a low level, with no impact on availability (GitHub Advisory).

When exploited, the vulnerability could allow affected applications to accept arbitrary file paths or URLs through the Bulk User Import endpoint, potentially leading to unauthorized file access or manipulation. The impact is considered low severity due to the high attack complexity and privilege requirements, with limited effects on both confidentiality and integrity (GitHub Advisory).

The vulnerability has been patched in Auth0 Symfony SDK version 5.5.0. Users are strongly advised to upgrade to this version or later to address the security issue. The fix includes updating the auth0/auth0-php dependency to version 8.17.0 or higher (GitHub Release, GitHub Commit).