CVE-2025-68129: Auth0-PHP SDK has Improper Audience Validation

Published Dec 17, 2025
·
Updated

Description In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Affected product and versions Projects are affected if they meet the following preconditions:

- Applications using the Auth0-PHP SDK, versions between v8.0.0 and v8.17.0, or - Applications using the following SDKs that rely on the Auth0-PHP SDK versions between v8.0.0 and v8.17.0: - a. Auth0/symfony, - b. Auth0/laravel-auth0, - c. Auth0/wordpress.

Resolution Upgrade Auth0/Auth0-PHP to version 8.18.0 or greater.

Acknowledgement Okta would like to thank Jafar Sadiq (iaf4r) for their discovery and responsible disclosure.

Other sources

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Projects are affected if they use Auth0-PHP SDK versions between v8.0.0 and v8.17.0, or applications using the following SDKs that rely on the Auth0-PHP SDK versions between v8.0.0 and v8.17.0: Auth0/symfony versions between 5.0.0 and 5.5.0, Auth0/laravel-auth0 versions between 7.0.0 and 7.19.0, and/or Auth0/wordpress plugin versions between 5.0.0-BETA0 and 5.4.0. Auth0/Auth0-PHP version 8.18.0 contains a patch for the issue.

MITRE

Affected Software

5 affected componentsFixes available
composer/auth0/auth0-php>=8.0.0<8.18.0
8.18.0
Auth0 Auth0-PHP>=8.0.0<8.18.0
Auth0 Laravel-auth0 Laravel>=7.0.0<7.20.0
Auth0 symfony>=5.0.0<5.6.0
Auth0 Wp-auth0 Wordpress>=5.0.0<5.5.0

Remediation

Patch Available

https://github.com/auth0/auth0-PHP/commit/7fe700053aee609718460c123f00f53c511f0f7f

Patch Available

https://github.com/auth0/laravel-auth0/commit/a1c3344dc0e5a36e8f56c8cfc535728d3d7558f3

Patch Available

https://github.com/auth0/symfony/commit/0103d6f8dcef6996653fad1f823d1c167f472479

Patch Available

https://github.com/auth0/wordpress/commit/b207c6f7fd06507b90c4e6bcc18a857ef9e018de

Event History

Dec 17, 2025
Advisory Published
via GitHub·08:52 PM
Data Sourced
via GitHub·08:52 PM
DescriptionSeverityWeaknessAffected Software
CVE Published
via MITRE·10:07 PM
Data Sourced
via MITRE·10:07 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·10:16 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·10:16 PM
RemedyAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2025-68129?

CVE-2025-68129 has a medium severity level due to improper audience validation in access tokens.

2

How do I fix CVE-2025-68129?

To fix CVE-2025-68129, upgrade the Auth0-PHP SDK to version 8.18.0 or later.

3

What impact does CVE-2025-68129 have on my application?

CVE-2025-68129 can lead to security risks by allowing applications to improperly accept ID tokens as access tokens.

4

Which versions of Auth0-PHP are affected by CVE-2025-68129?

CVE-2025-68129 affects Auth0-PHP versions between 8.0.0 and 8.18.0.

5

Is my application vulnerable if it uses Auth0-PHP SDK?

Yes, your application is vulnerable to CVE-2025-68129 if it uses affected versions of the Auth0-PHP SDK without the proper fix.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203