ghsa-j2vm-wrq3-f7gf
Vulnerability from github
Published
2025-12-17 20:52
Modified
2025-12-20 05:13
Severity ?
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
Auth0-PHP SDK has Improper Audience Validation
Details

Description

In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.

Affected product and versions

Projects are affected if they meet the following preconditions:

  • Applications using the Auth0-PHP SDK, versions between v8.0.0 and v8.17.0, or
  • Applications using the following SDKs that rely on the Auth0-PHP SDK versions between v8.0.0 and v8.17.0:
    • a. Auth0/symfony,
    • b. Auth0/laravel-auth0,
    • c. Auth0/wordpress.

Resolution

Upgrade Auth0/Auth0-PHP to version 8.18.0 or greater.

Acknowledgement

Okta would like to thank Jafar Sadiq (iaf4r) for their discovery and responsible disclosure.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "auth0/auth0-php"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.18.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-68129"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-17T20:52:43Z",
    "nvd_published_at": "2025-12-17T22:16:01Z",
    "severity": "MODERATE"
  },
  "details": "### Description\nIn applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.\n### Affected product and versions\nProjects are affected if they meet the following preconditions:\n\n- Applications using the Auth0-PHP SDK, versions between v8.0.0 and v8.17.0, or\n- Applications using the following SDKs that rely on the Auth0-PHP SDK versions between v8.0.0 and v8.17.0:\n    - a. Auth0/symfony,\n    - b. Auth0/laravel-auth0,\n    - c. Auth0/wordpress.\n\n### Resolution\nUpgrade Auth0/Auth0-PHP to version 8.18.0 or greater.\n\n### Acknowledgement\nOkta would like to thank Jafar Sadiq (iaf4r) for their discovery and responsible disclosure.",
  "id": "GHSA-j2vm-wrq3-f7gf",
  "modified": "2025-12-20T05:13:26Z",
  "published": "2025-12-17T20:52:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-j2vm-wrq3-f7gf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/laravel-auth0/security/advisories/GHSA-7hh9-gp72-wh7h"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/symfony/security/advisories/GHSA-f3r2-88mq-9v4g"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/wordpress/security/advisories/GHSA-vvg7-8rmq-92g7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68129"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/auth0-PHP/commit/7fe700053aee609718460c123f00f53c511f0f7f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/laravel-auth0/commit/a1c3344dc0e5a36e8f56c8cfc535728d3d7558f3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/symfony/commit/0103d6f8dcef6996653fad1f823d1c167f472479"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/wordpress/commit/b207c6f7fd06507b90c4e6bcc18a857ef9e018de"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/auth0/auth0-PHP"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/auth0-PHP/releases/tag/8.18.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/laravel-auth0/releases/tag/7.20.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/symfony/releases/tag/5.6.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/wordpress/releases/tag/5.5.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Auth0-PHP SDK has Improper Audience Validation"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.