Search for vulnerabilities
Vulnerability details: VCID-a24q-kvu5-2fe7
Vulnerability ID VCID-a24q-kvu5-2fe7
Aliases CVE-2025-8419
GHSA-m4j5-5x4r-2xp9
GHSA-qj5r-2r5p-phc7
Summary A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 5.3 https://access.redhat.com/errata/RHSA-2025:15336
cvssv3.1 6.5 https://access.redhat.com/errata/RHSA-2025:15336
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2025:15336
ssvc Track https://access.redhat.com/errata/RHSA-2025:15336
cvssv3.1 5.3 https://access.redhat.com/errata/RHSA-2025:15337
cvssv3.1 6.5 https://access.redhat.com/errata/RHSA-2025:15337
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2025:15337
ssvc Track https://access.redhat.com/errata/RHSA-2025:15337
cvssv3.1 5.3 https://access.redhat.com/errata/RHSA-2025:15338
cvssv3.1 6.5 https://access.redhat.com/errata/RHSA-2025:15338
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2025:15338
ssvc Track https://access.redhat.com/errata/RHSA-2025:15338
cvssv3.1 5.3 https://access.redhat.com/errata/RHSA-2025:15339
cvssv3.1 6.5 https://access.redhat.com/errata/RHSA-2025:15339
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2025:15339
ssvc Track https://access.redhat.com/errata/RHSA-2025:15339
cvssv3 6.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-8419.json
cvssv3.1 5.3 https://access.redhat.com/security/cve/CVE-2025-8419
cvssv3.1 6.5 https://access.redhat.com/security/cve/CVE-2025-8419
generic_textual MODERATE https://access.redhat.com/security/cve/CVE-2025-8419
ssvc Track https://access.redhat.com/security/cve/CVE-2025-8419
epss 0.00039 https://api.first.org/data/v1/epss?cve=CVE-2025-8419
epss 0.00039 https://api.first.org/data/v1/epss?cve=CVE-2025-8419
epss 0.00039 https://api.first.org/data/v1/epss?cve=CVE-2025-8419
epss 0.00039 https://api.first.org/data/v1/epss?cve=CVE-2025-8419
epss 0.00039 https://api.first.org/data/v1/epss?cve=CVE-2025-8419
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2025-8419
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2025-8419
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2025-8419
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2025-8419
epss 0.00051 https://api.first.org/data/v1/epss?cve=CVE-2025-8419
epss 0.00051 https://api.first.org/data/v1/epss?cve=CVE-2025-8419
epss 0.00067 https://api.first.org/data/v1/epss?cve=CVE-2025-8419
epss 0.00067 https://api.first.org/data/v1/epss?cve=CVE-2025-8419
epss 0.00067 https://api.first.org/data/v1/epss?cve=CVE-2025-8419
epss 0.00067 https://api.first.org/data/v1/epss?cve=CVE-2025-8419
epss 0.00067 https://api.first.org/data/v1/epss?cve=CVE-2025-8419
epss 0.00067 https://api.first.org/data/v1/epss?cve=CVE-2025-8419
epss 0.00067 https://api.first.org/data/v1/epss?cve=CVE-2025-8419
epss 0.00067 https://api.first.org/data/v1/epss?cve=CVE-2025-8419
epss 0.00067 https://api.first.org/data/v1/epss?cve=CVE-2025-8419
epss 0.00067 https://api.first.org/data/v1/epss?cve=CVE-2025-8419
cvssv3.1 5.3 https://bugzilla.redhat.com/show_bug.cgi?id=2385776
cvssv3.1 6.5 https://bugzilla.redhat.com/show_bug.cgi?id=2385776
generic_textual MODERATE https://bugzilla.redhat.com/show_bug.cgi?id=2385776
ssvc Track https://bugzilla.redhat.com/show_bug.cgi?id=2385776
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-m4j5-5x4r-2xp9
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-qj5r-2r5p-phc7
cvssv3.1 5.3 https://github.com/keycloak/keycloak
cvssv3.1 6.5 https://github.com/keycloak/keycloak
generic_textual MODERATE https://github.com/keycloak/keycloak
cvssv3.1 5.3 https://github.com/keycloak/keycloak/security/advisories/GHSA-m4j5-5x4r-2xp9
cvssv3.1_qr MODERATE https://github.com/keycloak/keycloak/security/advisories/GHSA-m4j5-5x4r-2xp9
generic_textual MODERATE https://github.com/keycloak/keycloak/security/advisories/GHSA-m4j5-5x4r-2xp9
cvssv3.1 5.3 https://nvd.nist.gov/vuln/detail/CVE-2025-8419
cvssv3.1 6.5 https://nvd.nist.gov/vuln/detail/CVE-2025-8419
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-8419
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-8419.json
https://api.first.org/data/v1/epss?cve=CVE-2025-8419
https://github.com/keycloak/keycloak
https://github.com/keycloak/keycloak/security/advisories/GHSA-m4j5-5x4r-2xp9
https://nvd.nist.gov/vuln/detail/CVE-2025-8419
cpe:2.3:a:redhat:keycloak:-:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:keycloak:-:*:*:*:*:*:*:*
cpe:/a:redhat:build_keycloak: https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:
cpe:/a:redhat:build_keycloak:26.0 https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26.0
cpe:/a:redhat:build_keycloak:26.0::el9 https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26.0::el9
cpe:/a:redhat:build_keycloak:26.2 https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26.2
cpe:/a:redhat:build_keycloak:26.2::el9 https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26.2::el9
CVE-2025-8419 https://access.redhat.com/security/cve/CVE-2025-8419
GHSA-m4j5-5x4r-2xp9 https://github.com/advisories/GHSA-m4j5-5x4r-2xp9
GHSA-qj5r-2r5p-phc7 https://github.com/advisories/GHSA-qj5r-2r5p-phc7
RHSA-2025:15336 https://access.redhat.com/errata/RHSA-2025:15336
RHSA-2025:15337 https://access.redhat.com/errata/RHSA-2025:15337
RHSA-2025:15338 https://access.redhat.com/errata/RHSA-2025:15338
RHSA-2025:15339 https://access.redhat.com/errata/RHSA-2025:15339
show_bug.cgi?id=2385776 https://bugzilla.redhat.com/show_bug.cgi?id=2385776
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://access.redhat.com/errata/RHSA-2025:15336
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/errata/RHSA-2025:15336
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-06T17:23:42Z/ Found at https://access.redhat.com/errata/RHSA-2025:15336
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://access.redhat.com/errata/RHSA-2025:15337
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/errata/RHSA-2025:15337
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-06T17:23:42Z/ Found at https://access.redhat.com/errata/RHSA-2025:15337
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://access.redhat.com/errata/RHSA-2025:15338
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/errata/RHSA-2025:15338
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-06T17:23:42Z/ Found at https://access.redhat.com/errata/RHSA-2025:15338
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://access.redhat.com/errata/RHSA-2025:15339
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/errata/RHSA-2025:15339
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-06T17:23:42Z/ Found at https://access.redhat.com/errata/RHSA-2025:15339
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-8419.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://access.redhat.com/security/cve/CVE-2025-8419
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/security/cve/CVE-2025-8419
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-06T17:23:42Z/ Found at https://access.redhat.com/security/cve/CVE-2025-8419
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://bugzilla.redhat.com/show_bug.cgi?id=2385776
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://bugzilla.redhat.com/show_bug.cgi?id=2385776
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-06T17:23:42Z/ Found at https://bugzilla.redhat.com/show_bug.cgi?id=2385776
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/keycloak/keycloak
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/keycloak/keycloak
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/keycloak/keycloak/security/advisories/GHSA-m4j5-5x4r-2xp9
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-8419
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-8419
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.10464
EPSS Score 0.00039
Published At Aug. 7, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-08-07T08:56:27.088355+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2025/8xxx/CVE-2025-8419.json 37.0.0