GHSA-27gc-wj6x-9w55
Suggest an improvement- Source
- https://github.com/advisories/GHSA-27gc-wj6x-9w55
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-27gc-wj6x-9w55/GHSA-27gc-wj6x-9w55.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-27gc-wj6x-9w55
- Aliases
-
- CVE-2025-10044
- Downstream
- Published
- 2025-10-17T17:39:13Z
- Modified
- 2025-10-17T18:42:44.372189Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- Keycloak error_description injection on error pages that can trigger phishing attacks
- Details
-
Keycloak’s account console accepts arbitrary text in the
error_descriptionquery parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading messages (e.g., fake support phone numbers or URLs), which are displayed within the trusted Keycloak UI. This creates a phishing vector, potentially tricking users into contacting malicious actors. - Database specific
{ "github_reviewed_at": "2025-10-17T17:39:13Z", "github_reviewed": true, "severity": "MODERATE", "nvd_published_at": null, "cwe_ids": [ "CWE-79" ] }- References
-
- https://github.com/keycloak/keycloak/security/advisories/GHSA-27gc-wj6x-9w55
- https://nvd.nist.gov/vuln/detail/CVE-2025-10044
- https://github.com/keycloak/keycloak/pull/42035
- https://access.redhat.com/errata/RHSA-2025:16399
- https://access.redhat.com/errata/RHSA-2025:16400
- https://access.redhat.com/security/cve/CVE-2025-10044
- https://bugzilla.redhat.com/show_bug.cgi?id=2393551
- https://github.com/keycloak/keycloak
Affected packages
Maven
org.keycloak:keycloak-account-ui
Package
- Name
- org.keycloak:keycloak-account-ui
- View open source insights on deps.dev
- Purl
- pkg:maven/org.keycloak/keycloak-account-ui
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed26.2.9
Affected versions
21.*
21.1.1
21.1.2
22.*
22.0.0
22.0.1
22.0.2
22.0.3
22.0.4
22.0.5
23.*
23.0.0
23.0.1
23.0.2
23.0.3
23.0.4
23.0.5
23.0.6
23.0.7
24.*
24.0.0
24.0.1
24.0.2
24.0.3
24.0.4
24.0.5
25.*
25.0.0
25.0.1
25.0.2
25.0.3
25.0.4
25.0.5
25.0.6
26.*
26.0.0
26.0.1
26.0.2
26.0.3
26.0.4
26.0.5
26.0.6
26.0.7
26.0.8
26.1.0
26.1.1
26.1.2
26.1.3
26.1.4
26.1.5
26.2.0
26.2.1
26.2.2
26.2.3
26.2.4
26.2.5
org.keycloak:keycloak-account-ui
Package
- Name
- org.keycloak:keycloak-account-ui
- View open source insights on deps.dev
- Purl
- pkg:maven/org.keycloak/keycloak-account-ui
org.keycloak:keycloak-admin-ui
Package
- Name
- org.keycloak:keycloak-admin-ui
- View open source insights on deps.dev
- Purl
- pkg:maven/org.keycloak/keycloak-admin-ui
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed26.2.9
Affected versions
1.*
1.0-alpha-1
1.0-alpha-1-12062013
1.0-alpha-2
1.0-alpha-3
1.0-alpha-4
15.*
15.1.0
15.1.1
16.*
16.0.0
16.1.0
16.1.1
17.*
17.0.0
17.0.1
18.*
18.0.1
18.0.2
19.*
19.0.0
19.0.1
19.0.2
19.0.3
20.*
20.0.0
20.0.1
20.0.2
20.0.3
20.0.4
20.0.5
21.*
21.0.0
21.0.1
21.0.2
21.1.1
21.1.2
22.*
22.0.0
22.0.1
22.0.2
22.0.3
22.0.4
22.0.5
22.19.0
23.*
23.0.0
23.0.1
23.0.2
23.0.3
23.0.4
23.0.5
23.0.6
23.0.7
24.*
24.0.0
24.0.1
24.0.2
24.0.3
24.0.4
24.0.5
25.*
25.0.0
25.0.1
25.0.2
25.0.3
25.0.4
25.0.5
25.0.6
26.*
26.0.0
26.0.1
26.0.2
26.0.3
26.0.4
26.0.5
26.0.6
26.0.7
26.0.8
26.1.0
26.1.1
26.1.2
26.1.3
26.1.4
26.1.5
26.2.0
26.2.1
26.2.2
26.2.3
26.2.4
26.2.5
org.keycloak:keycloak-admin-ui
Package
- Name
- org.keycloak:keycloak-admin-ui
- View open source insights on deps.dev
- Purl
- pkg:maven/org.keycloak/keycloak-admin-ui