logo

Database

Authentication mechanism absence or evasion In auth0/auth0-php

Description

Auth0-PHP SDK has Improper Audience Validation

Description

In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.

Affected product and versions

Projects are affected if they meet the following preconditions:

    Applications using the Auth0-PHP SDK, versions between v8.0.0 and v8.17.0, or

    Applications using the following SDKs that rely on the Auth0-PHP SDK versions between v8.0.0 and v8.17.0:

      a. Auth0/symfony,

      b. Auth0/laravel-auth0,

      c. Auth0/wordpress.

Resolution

Upgrade Auth0/Auth0-PHP to version 8.18.0 or greater.

Acknowledgement

Okta would like to thank Jafar Sadiq (iaf4r) for their discovery and responsible disclosure.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-681292. NVD-2025-681293. OSV-2025-681294. GHSA-j2vm-wrq3-f7gf5. GHSA-7hh9-gp72-wh7h6. GHSA-f3r2-88mq-9v4g7. GHSA-vvg7-8rmq-92g78. GCVE-2025-68129

References

1. https://github.com/auth0/auth0-PHP/security/advisories/GHSA-j2vm-wrq3-f7gf2. https://github.com/auth0/laravel-auth0/security/advisories/GHSA-7hh9-gp72-wh7h3. https://github.com/auth0/symfony/security/advisories/GHSA-f3r2-88mq-9v4g4. https://github.com/auth0/wordpress/security/advisories/GHSA-vvg7-8rmq-92g75. https://github.com/auth0/auth0-PHP/commit/7fe700053aee609718460c123f00f53c511f0f7f6. https://github.com/auth0/laravel-auth0/commit/a1c3344dc0e5a36e8f56c8cfc535728d3d7558f37. https://github.com/auth0/symfony/commit/0103d6f8dcef6996653fad1f823d1c167f4724798. https://github.com/auth0/wordpress/commit/b207c6f7fd06507b90c4e6bcc18a857ef9e018de9. https://github.com/auth0/auth0-PHP/releases/tag/8.18.010. https://github.com/auth0/laravel-auth0/releases/tag/7.20.011. https://github.com/auth0/symfony/releases/tag/5.6.012. https://github.com/auth0/wordpress/releases/tag/5.5.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.