GHSA-7hh9-gp72-wh7h: Auth0 Laravel SDK has Improper Audience Validation via Auth0-PHP SDK dependency

December 17, 2025

In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.

References

github.com/advisories/GHSA-7hh9-gp72-wh7h
github.com/auth0/laravel-auth0
github.com/auth0/laravel-auth0/commit/a1c3344dc0e5a36e8f56c8cfc535728d3d7558f3
github.com/auth0/laravel-auth0/releases/tag/7.20.0
github.com/auth0/laravel-auth0/security/advisories/GHSA-7hh9-gp72-wh7h

Code Behaviors & Features

Detect and mitigate GHSA-7hh9-gp72-wh7h with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →