VYPR

Packagist (Composer) package

auth0/auth0-php

pkg:composer/auth0/auth0-php

Vulnerabilities (5)

  • CVE-2026-34236HigApr 1, 2026
    affected >= 8.0.0, < 8.19.0fixed 8.19.0

    Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and

  • CVE-2025-68129Dec 17, 2025
    affected >= 8.0.0, < 8.18.0fixed 8.18.0

    Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Projects ar

  • CVE-2025-58769LowOct 1, 2025
    affected >= 3.3.0, < 8.17.0fixed 8.17.0

    auth0-PHP is an SDK for Auth0 Authentication and Management APIs. In versions 3.3.0 through 8.16.0, the Bulk User Import endpoint in applications built with the SDK does not validate the file-path wrapper or value. Without proper validation, affected applications may accept arbit

  • CVE-2025-48951CriJun 3, 2025
    affected >= 8.0.0-BETA3, < 8.3.1fixed 8.3.1

    Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send

  • CVE-2025-47275CriMay 15, 2025
    affected >= 8.0.0-BETA1, < 8.14.0fixed 8.14.0

    Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Starting in version 8.0.0-BETA1 and prior to version 8.14.0, session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which m