Packagist (Composer) package
auth0/auth0-php
pkg:composer/auth0/auth0-php
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-34236 | Hig | 8.2 | >= 8.0.0, < 8.19.0 | 8.19.0 | Apr 1, 2026 | Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and | |
| CVE-2025-68129 | — | >= 8.0.0, < 8.18.0 | 8.18.0 | Dec 17, 2025 | Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Projects ar | ||
| CVE-2025-58769 | Low | 3.3 | >= 3.3.0, < 8.17.0 | 8.17.0 | Oct 1, 2025 | auth0-PHP is an SDK for Auth0 Authentication and Management APIs. In versions 3.3.0 through 8.16.0, the Bulk User Import endpoint in applications built with the SDK does not validate the file-path wrapper or value. Without proper validation, affected applications may accept arbit | |
| CVE-2025-48951 | Cri | — | >= 8.0.0-BETA3, < 8.3.1 | 8.3.1 | Jun 3, 2025 | Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send | |
| CVE-2025-47275 | Cri | 9.1 | >= 8.0.0-BETA1, < 8.14.0 | 8.14.0 | May 15, 2025 | Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Starting in version 8.0.0-BETA1 and prior to version 8.14.0, session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which m |
- affected >= 8.0.0, < 8.19.0fixed 8.19.0
Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and
- CVE-2025-68129Dec 17, 2025affected >= 8.0.0, < 8.18.0fixed 8.18.0
Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Projects ar
- affected >= 3.3.0, < 8.17.0fixed 8.17.0
auth0-PHP is an SDK for Auth0 Authentication and Management APIs. In versions 3.3.0 through 8.16.0, the Bulk User Import endpoint in applications built with the SDK does not validate the file-path wrapper or value. Without proper validation, affected applications may accept arbit
- affected >= 8.0.0-BETA3, < 8.3.1fixed 8.3.1
Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send
- affected >= 8.0.0-BETA1, < 8.14.0fixed 8.14.0
Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Starting in version 8.0.0-BETA1 and prior to version 8.14.0, session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which m