Search for packages
| purl | pkg:maven/org.keycloak/keycloak-services@25.0.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1rp9-hqyn-vqh8
Aliases: CVE-2025-3910 GHSA-5jfq-x6xp-7rw2 |
Keycloak vulnerable to two factor authentication bypass # Description A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication. |
Affected by 5 other vulnerabilities. |
|
VCID-5s6v-un5w-qyg4
Aliases: GHSA-gj52-35xm-gxjh |
Duplicate Advisory: Keycloak phishing attack via email verification step in first login flow ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xhpr-465j-7p9q. This link is maintained to preserve external references. ### Original Description A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim's account. |
Affected by 2 other vulnerabilities. |
|
VCID-7363-ze97-87et
Aliases: CVE-2025-2559 GHSA-2935-2wfm-hhpv |
Keycloak Denial of Service (DoS) Vulnerability via JWT Token Cache A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system. |
Affected by 7 other vulnerabilities. |
|
VCID-7nhn-26zx-4fam
Aliases: GHSA-83j7-mhw9-388w |
Duplicate Advisory: Keycloak Privilege Escalation Vulnerability in Admin Console (FGAPv2 Enabled) ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-27gp-8389-hm4w. This link is maintained to preserve external references. ### Original Description A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions (FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. This vulnerability allows unauthorized elevation of access rights, compromising the intended separation of administrative duties and posing a security risk to the realm. |
Affected by 1 other vulnerability. |
|
VCID-921n-kkxc-gyav
Aliases: GHSA-fx44-2wx5-5fvp |
Duplicate Advisory: Keycloak vulnerable to two factor authentication bypass # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5jfq-x6xp-7rw2. This link is maintained to preserve external references. # Original Description A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication. |
Affected by 5 other vulnerabilities. |
|
VCID-a24q-kvu5-2fe7
Aliases: CVE-2025-8419 GHSA-m4j5-5x4r-2xp9 GHSA-qj5r-2r5p-phc7 |
A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-az5g-yu3m-g3c1
Aliases: CVE-2024-8883 GHSA-w8gr-xwp4-r9f7 |
Keycloak has Vulnerable Redirect URI Validation Results in Open Redirect A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost/ or http://127.0.0.1/, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking. |
Affected by 12 other vulnerabilities. |
|
VCID-c7hg-36fr-7ffe
Aliases: CVE-2025-3501 GHSA-hw58-3793-42gg |
Keycloak hostname verification A flaw was found in Keycloak. By setting a verification policy to 'ANY', the trust store certificate verification is skipped, which is unintended. |
Affected by 5 other vulnerabilities. |
|
VCID-cxc7-ub9z-tqgt
Aliases: GHSA-rq4w-cjrr-h8w8 |
Duplicate Advisory: Keycloak allows Incorrect Assignment of an Organization to a User # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-gvgg-2r3r-53x7. This link is maintained to preserve external references. # Original Description A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an application relies on these claims for authorization, it may incorrectly assume a user belongs to an organization they are not a member of, potentially granting unauthorized access or privileges. |
Affected by 8 other vulnerabilities. |
|
VCID-jgqy-unwr-myh7
Aliases: CVE-2025-7365 GHSA-xhpr-465j-7p9q |
Keycloak phishing attack via email verification step in first login flow There is a flaw with the first login flow where, during a IdP login, an attacker with a registered account can initiate the process to merge accounts with an existing victim's account. The attacker will subsequently be prompted to "review profile" information, which allows the the attacker to modify their email address to that of a victim's account. This triggers a verification email sent to the victim's email address. If the victim clicks the verification link, the attacker can gain access to the victim's account. While not a zero-interaction attack, the attacker's email address is not directly present in the verification email content, making it a potential phishing opportunity. This issue has been fixed in versions 26.0.13, 26.2.6, and 26.3.0. |
Affected by 0 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-kpgc-cmf5-mqcj
Aliases: GHSA-j3x3-r585-4qhg |
Duplicate Advisory: org.keycloak:keycloak-services has Inefficient Regular Expression Complexity ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-wq8x-cg39-8mrr. This link is maintained to preserve external references. ## Original Description A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity. |
Affected by 10 other vulnerabilities. |
|
VCID-tawq-333x-b3e2
Aliases: CVE-2024-7341 GHSA-5rxp-2rhr-qwqv |
Keycloak has session fixation in Elytron SAML adapters A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation. |
Affected by 14 other vulnerabilities. |
|
VCID-tuhm-hk75-q7a3
Aliases: CVE-2024-10270 GHSA-wq8x-cg39-8mrr |
org.keycloak:keycloak-services has Inefficient Regular Expression Complexity A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity. |
Affected by 10 other vulnerabilities. |
|
VCID-wngh-3b7z-aue7
Aliases: GHSA-vvf8-2h68-9475 |
Duplicate Advisory: Keycloak Open Redirect vulnerability # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-w8gr-xwp4-r9f7. This link is maintained to preserve external references. # Original Description A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking. |
Affected by 12 other vulnerabilities. |
|
VCID-ydys-b2yz-rbgv
Aliases: GHSA-r934-w73g-v4p8 |
Duplicate Advisory: Keycloak hostname verification # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hw58-3793-42gg. This link is maintained to preserve external references. # Original Description A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended. |
Affected by 5 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-smva-uwpy-bud2 | Keycloak Services has a potential bypass of brute force protection If an attacker launches many login attempts in parallel then the attacker can have more guesses at a password than the brute force protection configuration permits. This is due to the brute force check occurring before the brute force protector has locked the user. **Acknowledgements:** Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project. |
CVE-2024-4629
GHSA-gc7q-jgjv-vjr2 |