Keycloak <= 26.3.2 SMTP Inject (GHSA-qj5r-2r5p-phc7)

medium Nessus Plugin ID 246413

Synopsis

The remote host is missing one or more security updates.

Description

The version of Keycloak installed on the remote host is prior or equal to 26.3.2. It is, therefore, affected by SMTP inject vulnerability as reference in GHSA-qj5r-2r5p-phc7 advisory.

- A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks.
(CVE-2025-8419)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

See vendor advisory

See Also

https://github.com/advisories/GHSA-qj5r-2r5p-phc7

Plugin Details

Severity: Medium

ID: 246413

File Name: keycloak_GHSA-qj5r-2r5p-phc7.nasl

Version: 1.1

Type: local

Agent: unix

Family: Misc.

Published: 8/8/2025

Updated: 8/8/2025

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.3

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2025-8419

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Vulnerability Information

CPE: cpe:/a:keycloak:keycloak

Required KB Items: installed_sw/Keycloak

Patch Publication Date: 8/6/2025

Vulnerability Publication Date: 8/6/2025

Reference Information

CVE: CVE-2025-8419

IAVB: 2025-B-0130