A flaw was found in Keycloak. Keycloak’s account console and other pages accept arbitrary text in the error_description query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading messages (e.g., fake support phone numbers or URLs), which are displayed within the trusted Keycloak UI. This creates a phishing vector, potentially tricking users into contacting malicious actors.
History

Fri, 05 Sep 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 05 Sep 2025 20:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. Keycloak’s account console and other pages accept arbitrary text in the error_description query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading messages (e.g., fake support phone numbers or URLs), which are displayed within the trusted Keycloak UI. This creates a phishing vector, potentially tricking users into contacting malicious actors.
Title Keycloak: keycloak error_description injection on error pages
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-79
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-09-05T20:15:19.741Z

Reserved: 2025-09-05T18:19:49.483Z

Link: CVE-2025-10044

cve-icon Vulnrichment

Updated: 2025-09-05T20:15:15.449Z

cve-icon NVD

Status : Received

Published: 2025-09-05T20:15:34.430

Modified: 2025-09-05T20:15:34.430

Link: CVE-2025-10044

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.