GHSA-m4j5-5x4r-2xp9

Source

https://github.com/advisories/GHSA-m4j5-5x4r-2xp9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-m4j5-5x4r-2xp9/GHSA-m4j5-5x4r-2xp9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-m4j5-5x4r-2xp9

Aliases

CVE-2025-8419

Related

CGA-63fh-c9m3-2m6q

Published

2025-09-17T20:24:07Z

Modified

2026-02-04T02:52:40.155445Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Keycloak SMTP Inject Vulnerability

Details

Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks.

Database specific

{
    "nvd_published_at": null,
    "severity": "MODERATE",
    "github_reviewed_at": "2025-09-17T20:24:07Z",
    "cwe_ids": [
        "CWE-93"
    ],
    "github_reviewed": true
}

References

Affected packages

Maven / org.keycloak:keycloak-services

Package

Name: org.keycloak:keycloak-services; View open source insights on deps.dev
Purl: pkg:maven/org.keycloak/keycloak-services

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

26.2.8

Affected versions

1.*

1.0-alpha-1

1.0-alpha-1-12062013

1.0-alpha-2

1.0-alpha-3

1.0-alpha-4

1.0-beta-1

1.0-beta-1-20150521

1.0-beta-1-20150523

1.0-beta-2

1.0-beta-3

1.0-beta-4

1.0-rc-1

1.0-rc-2

1.0-final

1.0.1.Final

1.0.2.Final

1.0.3.Final

1.0.4.Final

1.0.5.Final

1.1.0.Beta1

1.1.0.Beta2

1.1.0.Final

1.1.1.Final

1.2.0.Beta1

1.2.0.CR1

1.2.0.Final

1.3.0.Final

1.3.1.Final

1.4.0.Final

1.5.0-Final

1.5.0.Final

1.5.1.Final

1.6.0.Final

1.6.1.Final

1.7.0.CR1

1.7.0.Final

1.8.0.Alpha1

1.8.0.CR1

1.8.0.CR2

1.8.0.CR3

1.8.0.Final

1.8.1.Final

1.9.0.CR1

1.9.0.Final

1.9.1.Final

1.9.2.Final

1.9.3.Final

1.9.4.Final

1.9.5.Final

1.9.7.Final

1.9.8.Final

2.*

2.0.0.CR1

2.0.0.Final

2.1.0.CR1

2.1.0.Final

2.2.0.CR1

2.2.0.Final

2.2.1.Final

2.3.0.CR1

2.3.0.Final

2.4.0.CR1

2.4.0.Final

2.5.0.CR1

2.5.0.Final

2.5.1.Final

2.5.4.Final

2.5.5.Final

3.*

3.0.0.CR1

3.0.0.Final

3.1.0.CR1

3.1.0.Final

3.2.0.CR1

3.2.0.Final

3.2.1.Final

3.3.0.CR1

3.3.0.CR2

3.3.0.Final

3.4.0.CR1

3.4.0.Final

3.4.1.CR1

3.4.1.Final

3.4.2.Final

3.4.3.Final

4.*

4.0.0.Beta1

4.0.0.Beta2

4.0.0.Beta3

4.0.0.Final

4.1.0.Final

4.2.0.Final

4.2.1.Final

4.3.0.Final

4.4.0.Final

4.5.0.Final

4.6.0.Final

4.7.0.Final

4.8.0.Final

4.8.1.Final

4.8.2.Final

4.8.3.Final

5.*

5.0.0

6.*

6.0.0

6.0.1

7.*

7.0.0

7.0.1

8.*

8.0.0

8.0.1

8.0.2

9.*

9.0.0

9.0.2

9.0.3

10.*

10.0.0

10.0.1

10.0.2

11.*

11.0.0

11.0.1

11.0.2

11.0.3

12.*

12.0.0

12.0.1

12.0.2

12.0.3

12.0.4

13.*

13.0.0

13.0.1

14.*

14.0.0

15.*

15.0.0

15.0.1

15.0.2

15.1.0

15.1.1

16.*

16.0.0

16.1.0

16.1.1

17.*

17.0.0

17.0.1

18.*

18.0.0

18.0.1

18.0.2

19.*

19.0.0

19.0.1

19.0.2

19.0.3

20.*

20.0.0

20.0.1

20.0.2

20.0.3

20.0.4

20.0.5

21.*

21.0.0

21.0.1

21.0.2

21.1.0

21.1.1

21.1.2

22.*

22.0.0

22.0.1

22.0.2

22.0.3

22.0.4

22.0.5

23.*

23.0.0

23.0.1

23.0.2

23.0.3

23.0.4

23.0.5

23.0.6

23.0.7

24.*

24.0.0

24.0.1

24.0.2

24.0.3

24.0.4

24.0.5

25.*

25.0.0

25.0.1

25.0.2

25.0.3

25.0.4

25.0.5

25.0.6

26.*

26.0.0

26.0.1

26.0.2

26.0.3

26.0.4

26.0.5

26.0.6

26.0.7

26.0.8

26.1.0

26.1.1

26.1.2

26.1.3

26.1.4

26.1.5

26.2.0

26.2.1

26.2.2

26.2.3

26.2.4

26.2.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-m4j5-5x4r-2xp9/GHSA-m4j5-5x4r-2xp9.json"