Considered by the maintainers a bug scenario experienced rather than a vulnerability.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

No data.

No data.

No data.

No data.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27027 A path traversal validation flaw exists in Keycloak’s vault key handling on Windows. The previous fix for CVE-2024-10492 did not account for the Windows file separator (\). As a result, a high-privilege administrator could probe for the existence of files outside the expected realm context through crafted vault secret lookups. This is a platform-specific variant/incomplete fix of CVE-2024-10492.
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://nvd.nist.gov/vuln/detail/CVE-2025-10043 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-10043 cve-icon
History

Thu, 09 Oct 2025 03:15:00 +0000

Type Values Removed Values Added
Title Keycloak: incomplete fix of cve-2024-10492 keycloak: Incomplete fix of CVE-2024-10492
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Oct 2025 02:30:00 +0000

Type Values Removed Values Added
References

Thu, 09 Oct 2025 02:15:00 +0000

Type Values Removed Values Added
Description A path traversal validation flaw exists in Keycloak’s vault key handling on Windows. The previous fix for CVE-2024-10492 did not account for the Windows file separator (\). As a result, a high-privilege administrator could probe for the existence of files outside the expected realm context through crafted vault secret lookups. This is a platform-specific variant/incomplete fix of CVE-2024-10492. Considered by the maintainers a bug scenario experienced rather than a vulnerability.
CPEs cpe:/a:redhat:build_keycloak:26.2::el9
Vendors & Products Redhat
Redhat build Keycloak

Mon, 22 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
References

Mon, 22 Sep 2025 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.2::el9
References

Sat, 06 Sep 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 05 Sep 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Sep 2025 20:15:00 +0000

Type Values Removed Values Added
Description A path traversal validation flaw exists in Keycloak’s vault key handling on Windows. The previous fix for CVE-2024-10492 did not account for the Windows file separator (\). As a result, a high-privilege administrator could probe for the existence of files outside the expected realm context through crafted vault secret lookups. This is a platform-specific variant/incomplete fix of CVE-2024-10492.
Title Keycloak: incomplete fix of cve-2024-10492
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-73
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}
cve-icon MITRE

Status: REJECTED

Assigner: redhat

Published:

Updated: 2025-10-09T01:45:58.716Z

Reserved: 2025-09-05T18:12:23.630Z

Link: CVE-2025-10043

cve-icon Vulnrichment

Updated:

cve-icon NVD

Status : Rejected

Published: 2025-09-05T20:15:34.220

Modified: 2025-10-09T02:15:40.607

Link: CVE-2025-10043

cve-icon Redhat

Severity : Low

Publid Date: 2025-09-05T00:00:00Z

Links: CVE-2025-10043 - Bugzilla

cve-icon OpenCVE Enrichment

No data.