Auth0/Auth0-PHP
Moderate fix1 remedy
cpe:2.3:a:auth0:auth0:*:*:*:*:*:*:*
Moderate fix1 remedy
- >= 8.0.0, <= 8.17.0
Auth0-PHP SDK Improper Audience Validation Vulnerability
Vulnerability
Patched
A vulnerability exists in the Auth0-PHP SDK for PHP, specifically in versions 8.0.0 prior to 8.17.0. This vulnerability arises from improper audience validation in access tokens, allowing affected applications to mistakenly accept ID tokens as access tokens. The issue also affects applications using Auth0-related SDKs or plugins that rely on vulnerable Auth0-PHP versions. The vulnerability has been patched in Auth0-PHP version 8.18.0.
Impact
Exploitation of this vulnerability could lead to improper authentication token validation, allowing applications to accept ID tokens as access tokens, which could be misused for unauthorized access or actions.
Remediation
Users can upgrade to Auth0-PHP version 8.18.0 or later. For applications using Auth0/Symfony, upgrade to version 5.6.0 or later. For those using Auth0/Laravel-Auth0, upgrade to version 7.20.0 or later. WordPress users should upgrade to version 5.5.0.
Added: Dec 17, 2025, 10:21 PM
Updated: Dec 17, 2025, 10:21 PM
Vulnerability Rating
Custom Algorithm
spread
0.0impact
1.3exploitability
4.0remediation
7.7relevance
1.5threat
3.2urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.