GHSA-7jp2-5h22-m432: 
PHP vulnerability analysis and mitigation

The Auth0 Symfony SDK contains a vulnerability (CVE-2025-58769) in versions 2.0.2 through 5.4.1 where the Bulk User Import endpoint fails to properly validate file-path wrappers and values. This vulnerability affects applications using the Auth0 Symfony SDK that relies on Auth0-PHP SDK versions between 3.3.0 and 8.16.0. The issue was discovered by Mohamed Amine Saidani (pwni) and was disclosed on October 1, 2025 (GitHub Advisory).

The vulnerability is classified with a CVSS v3.1 base score of 3.3 (Low severity) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N. The issue is categorized under CWE-434 (Unrestricted Upload of File with Dangerous Type) and involves improper handling of file types in the Bulk User Import functionality. Without proper validation, affected applications may accept arbitrary file paths or URLs, potentially leading to security issues (GitHub Advisory).

The vulnerability could potentially allow attackers to manipulate file paths or URLs through the Bulk User Import endpoint, leading to low-level impacts on both confidentiality and integrity of the system, while availability remains unaffected. The attack requires high complexity and high privileges to execute, which somewhat mitigates its potential impact (GitHub Advisory).

The vulnerability has been patched in Auth0 Symfony SDK version 5.5.0. Users are strongly advised to upgrade to this version or later to address the security issue. The fix involves updating the auth0/auth0-php dependency to version 8.17.0 or higher (GitHub Commit, GitHub Release).