CVE-2025-58769

@@ -1,5 +1,12 @@
 # Change Log
 
+## [8.17.0](https://github.com/auth0/auth0-PHP/tree/8.17.0) (2025-10-01)
+[Full Changelog](https://github.com/auth0/auth0-PHP/compare/8.16.0...8.17.0)
+
+**Fixed**
+
+- Security fix: Resolve CVE-2025-58769
+
 ## [8.16.0](https://github.com/auth0/auth0-PHP/tree/8.16.0) (2025-09-11)
 [Full Changelog](https://github.com/auth0/auth0-PHP/compare/8.15.0...8.16.0)
 

@@ -21,7 +21,7 @@ final class Auth0 implements Auth0Interface
     /**
      * @var string
      */
-    public const VERSION = '8.16.0';
+    public const VERSION = '8.17.0';
 
     /**
      * Authentication Client.

@@ -1 +1 @@
-8.16.0
+8.17.0

@@ -3937,6 +3937,7 @@ public static function file($value, $message = ''): void
 
     /**
      * Will also pass if $value is a directory, use Assert::file() instead if you need to be sure it is a file.
+     * Prevents arbitrary file read vulnerabilities by rejecting paths with protocol separators.
      *
      * @param mixed  $value
      * @param string $message
@@ -3947,6 +3948,14 @@ public static function fileExists($value, $message = ''): void
     {
         self::string($value);
 
+        // Reject paths containing protocol separators to prevent arbitrary file read
+        if (str_contains((string) $value, '://')) {
+            self::reportInvalidArgument(sprintf(
+                $message ?: 'File paths with protocol separators ("://") are not allowed: %s',
+                self::valueToString($value),
+            ));
+        }
+
         if (! file_exists($value)) {
             self::reportInvalidArgument(sprintf(
                 $message ?: 'The file %s does not exist.',

@@ -10,6 +10,7 @@
 use Exception;
 use Http\Message\MultipartStream\MultipartStreamBuilder;
 use Psr\Http\Client\ClientExceptionInterface;
+
 use Psr\Http\Message\{RequestInterface, ResponseInterface, StreamInterface};
 
 use function defined;
@@ -130,6 +131,8 @@ public function addFile(
         ?string $file_path,
     ): self {
         if (null !== $file_path) {
+            Assert::fileExists($file_path);
+            Assert::readable($file_path);
             $this->files[$field] = $file_path;
         }
 

@@ -176,6 +176,56 @@ function(): HttpRequest {
     fn() => new HttpRequest($this->configuration, HttpClient::CONTEXT_GENERIC_CLIENT, 'get', '/' . uniqid())
 ]]);
 
+it('rejects file paths with protocol separators', function(): void {
+    $client = new HttpRequest($this->configuration, HttpClient::CONTEXT_GENERIC_CLIENT, 'post', '/');
+    
+    expect(fn() => $client->addFile('test', 'file:///etc/passwd'))
+        ->toThrow(\InvalidArgumentException::class, 'File paths with protocol separators ("://") are not allowed: "file:///etc/passwd"');
+        
+    expect(fn() => $client->addFile('test', 'http://example.com/file.txt'))
+        ->toThrow(\InvalidArgumentException::class, 'File paths with protocol separators ("://") are not allowed: "http://example.com/file.txt"');
+        
+    expect(fn() => $client->addFile('test', 'php://filter/convert.base64-encode/resource=/etc/passwd'))
+        ->toThrow(\InvalidArgumentException::class, 'File paths with protocol separators ("://") are not allowed: "php://filter/convert.base64-encode/resource=/etc/passwd"');
+});
+
+it('rejects file paths for non-existent or unreadable files', function(): void {
+    $client = new HttpRequest($this->configuration, HttpClient::CONTEXT_GENERIC_CLIENT, 'post', '/');
+    
+    // Non-existent file
+    expect(fn() => $client->addFile('test', '/non/existent/file.txt'))
+        ->toThrow(\InvalidArgumentException::class, 'The file "/non/existent/file.txt" does not exist.');
+    
+    // Create a temp file with no read permissions to test unreadable file
+    $tempFile = sys_get_temp_dir() . '/' . uniqid('auth0_test_');
+    file_put_contents($tempFile, 'test content');
+    chmod($tempFile, 0000); // Remove all permissions
+    
+    try {
+        expect(fn() => $client->addFile('test', $tempFile))
+            ->toThrow(\InvalidArgumentException::class);
+    } finally {
+        chmod($tempFile, 0666); // Restore permissions so we can delete it
+        @unlink($tempFile);
+    }
+});
+
+it('allows valid local file paths', function(): void {
+    $client = new HttpRequest($this->configuration, HttpClient::CONTEXT_GENERIC_CLIENT, 'post', '/');
+    
+    // Create a temporary file that exists and is readable
+    $tempFile = sys_get_temp_dir() . '/' . uniqid('auth0_test_');
+    file_put_contents($tempFile, 'test content');
+    
+    try {
+        // This should not throw an exception
+        $result = $client->addFile('test', $tempFile);
+        expect($result)->toBeInstanceOf(HttpRequest::class);
+    } finally {
+        @unlink($tempFile);
+    }
+});
+
 it('throws a NetworkException when the underlying client raises a ClientExceptionInterface', function(HttpRequest $client): void {
     $client->call();
 })->with(['mocked client' => [