Auth0-PHP SDK Improper File Path Validation Vulnerability in Bulk User Import

A vulnerability exists in the Auth0-PHP SDK, specifically in versions 3.3.0 through 8.16.0, where the Bulk User Import endpoint fails to properly validate file paths or URLs. This lack of validation allows applications to accept arbitrary file paths, potentially leading to unauthorized file access. The issue also affects applications using the Auth0/Symfony, Auth0/Laravel-Auth0, or Auth0/WordPress SDKs that rely on vulnerable Auth0-PHP versions.

Impact

Exploitation of this vulnerability could lead to arbitrary file read vulnerabilities, allowing unauthorized access to sensitive files on the server.

Reproduction

To reproduce this vulnerability, use an application that includes the Auth0-PHP SDK version 3.3.0 to 8.16.0, or one of the dependent SDKs (Auth0/Symfony, Auth0/Laravel-Auth0, or Auth0/WordPress) that also rely on this version range. Then, attempt to use the Bulk User Import endpoint without a validated file path. The application will accept the input, demonstrating the lack of proper validation.

Remediation

Upgrade the Auth0-PHP SDK to version 8.17.0 or later. For applications using Auth0/Symfony, upgrade to version 5.5.0 or later. For those using Auth0/Laravel-Auth0, upgrade to version 7.19.0 or later. If using the Auth0/WordPress plugin, upgrade to version 5.4.0 or later.