U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
  1. Vulnerabilities

CVE-2025-68129 Detail

Description

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Projects are affected if they use Auth0-PHP SDK versions between v8.0.0 and v8.17.0, or applications using the following SDKs that rely on the Auth0-PHP SDK versions between v8.0.0 and v8.17.0: Auth0/symfony versions between 5.0.0 and 5.5.0, Auth0/laravel-auth0 versions between 7.0.0 and 7.19.0, and/or Auth0/wordpress plugin versions between 5.0.0-BETA0 and 5.4.0. Auth0/Auth0-PHP version 8.18.0 contains a patch for the issue.


Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:

NIST CVSS score
NIST: NVD
N/A
NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL Source(s) Tag(s)
https://github.com/auth0/auth0-PHP/commit/7fe700053aee609718460c123f00f53c511f0f7f GitHub, Inc.
https://github.com/auth0/auth0-PHP/releases/tag/8.18.0 GitHub, Inc.
https://github.com/auth0/auth0-PHP/security/advisories/GHSA-j2vm-wrq3-f7gf GitHub, Inc.
https://github.com/auth0/laravel-auth0/commit/a1c3344dc0e5a36e8f56c8cfc535728d3d7558f3 GitHub, Inc.
https://github.com/auth0/laravel-auth0/releases/tag/7.20.0 GitHub, Inc.
https://github.com/auth0/laravel-auth0/security/advisories/GHSA-7hh9-gp72-wh7h GitHub, Inc.
https://github.com/auth0/symfony/commit/0103d6f8dcef6996653fad1f823d1c167f472479 GitHub, Inc.
https://github.com/auth0/symfony/releases/tag/5.6.0 GitHub, Inc.
https://github.com/auth0/symfony/security/advisories/GHSA-f3r2-88mq-9v4g GitHub, Inc.
https://github.com/auth0/wordpress/commit/b207c6f7fd06507b90c4e6bcc18a857ef9e018de GitHub, Inc.
https://github.com/auth0/wordpress/releases/tag/5.5.0 GitHub, Inc.
https://github.com/auth0/wordpress/security/advisories/GHSA-vvg7-8rmq-92g7 GitHub, Inc.

Weakness Enumeration

CWE-ID CWE Name Source
CWE-863 Incorrect Authorization GitHub, Inc.  

Change History

1 change records found show changes

Quick Info

CVE Dictionary Entry:
CVE-2025-68129
NVD Published Date:
12/17/2025
NVD Last Modified:
12/17/2025
Source:
GitHub, Inc.