CVE-2025-68129
CVE-2025-68129 is a medium-severity vulnerability in Auth0 Auth0-php with a CVSS 3.x base score of 6.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-863.
Key facts
- Severity: Medium (CVSS 3.x base score 6.8)
- EPSS exploit prediction: 0% (29th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-203985
- Weakness: CWE-863
- Affected product: Auth0 Auth0-php
- Published:
- Last modified:
Description
Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Projects are affected if they use Auth0-PHP SDK versions between v8.0.0 and v8.17.0, or applications using the following SDKs that rely on the Auth0-PHP SDK versions between v8.0.0 and v8.17.0: Auth0/symfony versions between 5.0.0 and 5.5.0, Auth0/laravel-auth0 versions between 7.0.0 and 7.19.0, and/or Auth0/wordpress plugin versions between 5.0.0-BETA0 and 5.4.0. Auth0/Auth0-PHP version 8.18.0 contains a patch for the issue.
Frequently asked questions
- What is CVE-2025-68129?
- Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Projects are affected if they use Auth0-PHP SDK versions between v8.0.0 and v8.17.0, or applications using the following SDKs that rely on the Auth0-PHP SDK versions between v8.0.0 and v8.17.0: Auth0/symfony versions between 5.0.0 and 5.5.0, Auth0/laravel-auth0 versions between 7.0.0 and 7.19.0, and/or Auth0/wordpress plugin versions between 5.0.0-BETA0 and 5.4.0. Auth0/Auth0-PHP version 8.18.0 contains a patch for the issue.
- How severe is CVE-2025-68129?
- CVE-2025-68129 has a CVSS 3.x base score of 6.8, rated medium severity. It is exploitable over network with high attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability none.
- Is CVE-2025-68129 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (29th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-68129?
- CVE-2025-68129 primarily affects Auth0 Auth0-php. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2025-68129?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-68129 have an EU (EUVD) identifier?
- Yes. CVE-2025-68129 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-203985.
- When was CVE-2025-68129 published?
- CVE-2025-68129 was published on 2025-12-17 and last updated on 2026-06-17.
References
- https://github.com/auth0/auth0-PHP/commit/7fe700053aee609718460c123f00f53c511f0f7f
- https://github.com/auth0/auth0-PHP/releases/tag/8.18.0
- https://github.com/auth0/auth0-PHP/security/advisories/GHSA-j2vm-wrq3-f7gf
- https://github.com/auth0/laravel-auth0/commit/a1c3344dc0e5a36e8f56c8cfc535728d3d7558f3
- https://github.com/auth0/laravel-auth0/releases/tag/7.20.0
- https://github.com/auth0/laravel-auth0/security/advisories/GHSA-7hh9-gp72-wh7h
- https://github.com/auth0/symfony/commit/0103d6f8dcef6996653fad1f823d1c167f472479
- https://github.com/auth0/symfony/releases/tag/5.6.0
- https://github.com/auth0/symfony/security/advisories/GHSA-f3r2-88mq-9v4g
- https://github.com/auth0/wordpress/commit/b207c6f7fd06507b90c4e6bcc18a857ef9e018de
- https://github.com/auth0/wordpress/releases/tag/5.5.0
- https://github.com/auth0/wordpress/security/advisories/GHSA-vvg7-8rmq-92g7
Affected products (4)
- cpe:2.3:a:auth0:auth0-php:*:*:*:*:*:*:*:*
- cpe:2.3:a:auth0:laravel-auth0:*:*:*:*:*:laravel:*:*
- cpe:2.3:a:auth0:symfony:*:*:*:*:*:*:*:*
- cpe:2.3:a:auth0:wp-auth0:*:*:*:*:*:wordpress:*:*
More vulnerabilities in Auth0 Auth0-php
- CVE-2026-34236 — High (CVSS 8.2): Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in…
All CVEs affecting Auth0 Auth0-php →
Other CWE-863 (Incorrect Authorization) vulnerabilities
- CVE-2026-48286 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9396 and earlier are affected by an Incorrect Authorization…
- CVE-2026-48303 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by an Incorrect Authorization…
- CVE-2026-44330 — Critical (CVSS 10.0): free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the…
- CVE-2026-46595 — Critical (CVSS 10.0): Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of…
- CVE-2026-33105 — Critical (CVSS 10.0): Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over…
- CVE-2026-32213 — Critical (CVSS 10.0): Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network.
Browse all CWE-863 (Incorrect Authorization) vulnerabilities →