CVE-2025-8419

A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/errata/RHSA-2025:15336
https://access.redhat.com/errata/RHSA-2025:15337
https://access.redhat.com/errata/RHSA-2025:15338
https://access.redhat.com/errata/RHSA-2025:15339
https://access.redhat.com/security/cve/CVE-2025-8419	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2385776	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:redhat:keycloak:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-08-06 17:15

Updated : 2026-01-08 04:15

NVD link : CVE-2025-8419

Mitre link : CVE-2025-8419

CVE.ORG link : CVE-2025-8419

JSON object : View

Products Affected

redhat

keycloak

CWE

CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

{"id": "CVE-2025-8419", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2025-08-06T17:15:38.467", "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:15336", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2025:15337", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2025:15338", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2025:15339", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/security/cve/CVE-2025-8419", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2385776", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-93"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en los servicios de Keycloak. El uso de caracteres especiales durante el registro de correo electr\u00f3nico puede provocar una inyecci\u00f3n SMTP y enviar inesperadamente correos electr\u00f3nicos cortos no deseados. El correo electr\u00f3nico est\u00e1 limitado a 64 caracteres (parte local limitada), por lo que el ataque se limita a correos muy cortos (asunto y poca informaci\u00f3n; en el ejemplo, 60 caracteres). La \u00fanica consecuencia directa de esta falla es el env\u00edo de un correo electr\u00f3nico no solicitado desde el servidor de Keycloak. Sin embargo, esta acci\u00f3n podr\u00eda ser precursora de ataques m\u00e1s sofisticados."}], "lastModified": "2026-01-08T04:15:56.333", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:keycloak:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6E0DE4E1-5D8D-40F3-8AC8-C7F736966158"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}