GHSA-hjfh-5jmm-xr24: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-hjfh-5jmm-xr24/CVE-2025-58769) affects the Auth0-PHP SDK's Bulk User Import endpoint, specifically in versions 3.3.0 through 8.16.0. The vulnerability is present in applications using the Auth0 laravel-auth0 SDK versions 4.0.0 to 7.18.0. The core issue lies in the SDK's failure to validate file-path wrappers or values, potentially allowing applications to accept arbitrary file paths or URLs. This vulnerability was discovered by Mohamed Amine Saidani (pwni) and was disclosed on October 1, 2025 (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 3.3 (Low severity) with the following vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N. The technical assessment indicates that while the vulnerability is network-accessible (AV:N), it requires high attack complexity (AC:H) and high privileges (PR:H) to exploit. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and involves improper handling of file types in the Bulk User Import functionality (GitHub Advisory).

The vulnerability could potentially allow attackers to manipulate file paths or URLs through the Bulk User Import endpoint, leading to low-level impacts on both confidentiality and integrity of the system, while maintaining no impact on availability. The scope remains unchanged, indicating that the vulnerability cannot affect resources beyond its security scope (GitHub Advisory).

The vulnerability has been patched in Auth0 laravel-auth0 SDK version 7.19.0. Users are strongly advised to upgrade to this version or later to address the security issue. The fix involves updating the auth0/auth0-php dependency to version 8.17.0 or higher (Laravel Auth0 Release, GitHub Commit).