GHSA-f3r2-88mq-9v4g: Auth0 Symfony SDK has Improper Audience Validation via Auth0-PHP SDK

December 17, 2025

In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.

References

github.com/advisories/GHSA-f3r2-88mq-9v4g
github.com/auth0/symfony
github.com/auth0/symfony/commit/0103d6f8dcef6996653fad1f823d1c167f472479
github.com/auth0/symfony/releases/tag/5.6.0
github.com/auth0/symfony/security/advisories/GHSA-f3r2-88mq-9v4g

Code Behaviors & Features

Detect and mitigate GHSA-f3r2-88mq-9v4g with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →